ABC of Risk Culture
The SWWE branch was delighted to invite Dr David Hillson, the Risk Doctor, back to Bristol on 5th December, to talk about risk management. David’s focus for this event was how people, teams and organisational culture impact effective risk management.
Risk management is often focussed on tools, techniques and processes, which is fine, but it is the people, and teams, operating in an organisational culture, that actually use the tools, techniques and processes. How they do so will determine how well project risk is actually managed.
Starting with culture, David discussed various definitions, covering Geert Hofstede, Edgar Shein, amongst others. His working definition, developed with the Institute of Risk Management, (IRM), is ‘the values, beliefs, knowledge and understanding, shared by a group of people with a common purpose’.
Culture will vary across any organisation with different groups with different purposes. Culture is hidden, internal, invisible and tacit.
In the ABC model of culture, Attitudes shape Behaviours, which when repeated, lead to Culture. Culture then in turn, influences attitudes and behaviours.
- Attitudes are the chosen position adopted by an individual or group in relation to a given situation, influenced by perception.
- Behaviours are external observable actions, including decisions, processes, communications etc.
- Culture is the values, beliefs, knowledge and understanding, shared by a group of people with a common purpose.
The ABC model can be applied to risk management. Risk attitude is driven by risk perception, risk behaviour is the physical actions taken related to risk which lead to risk culture. You can only see the risk behaviour, not attitude or culture.
Risk culture is important for corporate governance compliance, it is rated by Standard and Poor’s for credit worthiness, and poor risk culture can lead to corporate failure, (Walker Report, 2009). Risk culture affects the way an organisation manages risk, since it directly influences the way an organisation acts towards risk and how much risk it takes in its decisions, strategy, projects and operations. Too much risk can leave an organisation over exposed, too little risk can be too safe and result in lack of innovation. The appropriate balance is needed for the organisation’s situation.
David shared ten indicators of a good risk culture, including: Distinct and consistent tone from the top on risk-taking; Commitment to ethical principles & practice; Wide acceptance of importance of managing risk; Transparent and timely risk information flow up & down. It is ultimately driven from the top leadership.
So, how do you develop good risk culture? David discussed the IRM Risk Culture Aspects Model, which has four “aspects”, each with two characteristics: the tone at the top; governance; decision making; and competency.
Many organisations try to change culture by focussing on changing behaviours or introducing new processes, tools and reporting. But as soon as the pressure is off, behaviours will revert back the old ones if there is no change in attitude and culture. You must start with changing risk attitude first, which will then influence risk behaviour and then in turn build risk culture.
Risk attitude varies on a continuum between risk averse and risk seeking, which is driven by the situation. Risk attitude is variable, as it is chosen, and so can be managed.
Attitude to risk is driven by values, beliefs, knowledge, and understanding. David asked the audience to think where they sat on the risk attitude spectrum. Do you believe that risk is avoidable or natural, and bad or good?
Finally, David recommended the Six A’s framework, as a model to help individuals and groups change their risk attitude intentionally. It is based on emotional intelligence research and includes: Awareness & Appreciation of current risk attitude and its implications on risk behaviour & risk culture; Assessment, ok or not; Assertion and Action; and Acceptance.
In summary, the A-B-C Model links attitude and behaviour to culture, and can result in either vicious or virtuous cycles. Risk culture matters, because it drives risk thinking and risk-taking behaviour. Inappropriate risk culture can cause problems, leading organisations to take too much or too little risk.
Current risk culture can be assessed using the IRM Risk Culture Aspects Model. Risk culture can be changed only by managing and changing risk attitude.
Taking the right risks safely leads to success!
The slides are on APM Slideshare. A related paper can be downloaded free from the Writing section of the Risk Doctor website (search for “culture”), and you can also see David presenting this topic in an online webinar on the Risk Doctor Video YouTube channel.
SWWE branch Chair