By Dr Paul Johnston, FARPI, FISRM, ChFInstP, ChOHSP, CMAS, RPP
We hear a lot of discussions around risk culture across business sectors…. I intentionally say “around” as opposed to “about”, as although people acknowledge its importance, many continue to essentially step around the subject, assuming that a risk culture will just happen by mentioning “risk management” enough times in enough policies and procedures, and that implementing a sustainable risk management framework is similarly to be achieved via inserting (or adding on) “risk management” as an element to be completed in every work system and work stream.
To me, however, that seems remarkably like “compliance” – so, let’s briefly explore the difference the two concepts before we move on. Compliance is essentially binary. It involves “black and white” decisions based on specific requirements and standards, often requiring certain aspects to be completed for a task to be considered complete and conforming. Risk management, on the other hand, is not binary, and involves “shades of grey” decisions based on analysing issues such as strengths, weaknesses, opportunities and threats. Further to this, it could also be argued that compliance is restricted in its focus to potential threats, whereas risk management adopts a wider focus to encompass both potential threats and opportunities.
Sensing that the above may have raised a few eyebrows, let’s put it this way….compliance does not necessarily mean that risk management is involved, whereas risk management incorporates compliance as one of many facets assessed.
Which is most effective? As a risk management pracademic I am arguably biased, and will conclude that risk management is a more comprehensive approach that is better suited for the VUCAD (volatile, uncertain, complex, ambiguous and digitised) world in which we find ourselves. My concern, however, is that if a positive risk culture is absent within an organisation, the same will collectively see risk management as but yet another “box to tick” in order to meet procedural requirements. In this manner, risk management will lose its potential benefits, and become just another term for compliance. This is an outcome that I have seen on many occasions in organisations that “talk a big game” about their risk management approach, but essentially lend the term to a compliance mindset. This then has the real potential to actively contribute to a negative risk culture – one in which risk is either misused and underutilised, or one in which risk management systems are overused to a point that they are seen as obstructive and problematic – thereby often resulting a nil reporting culture, or one in which risk assessments are manipulated to suit the needs, rather than providing weighted evidence on which to base truly balanced decisions.
I dare say this is where risk management got its reputation as being “the handbrake on happiness”.
Indeed, I have done many a risk and opportunity workshop, and 95% of the time the focus is solely on threats – whilst this is a rabbit whole that we could easily go down (but will not do so on this occasion), it is an important issue to highlight, as a positive risk culture will not just happen when we add risk management processes (such as workshops) to everything and focus only on the negative. All that this does is re-enforce the perception, and thereby the culture, that risk management sits in the negative corner, and as being simply a compliance item to be done, focusing on managing negative consequences alone.…selling its potential application short to say the least. Although this does indeed create a culture, I will argue that this not a risk culture perse, but a compliance culture taking the name of risk in vain.
Sound harsh? Indulge me for a moment as we look at a few simple statements that we hear quite often….
- Risk management is integrated into everything we do
- We are a risk oriented organisation
- We employ risk based decisions
These all sound pretty good, and are based on the impression of having a positive risk culture, but I argue that their impact on an organisation will depend by-in-large on whether there is indeed a positive risk culture present at all levels, and in every business area, of an organisation…or whether this risk culture is negative in nature.
When I refer to a risk culture in general, I refer to the shared values, beliefs, norms, and behaviours that shape how individuals and groups approach decisions and actions in response to risk/s.
Building on this, a positive risk culture entails the embodiment of risk management as an embedded function and activity that is seen as an enabler to action an activity as well as an important contributor to achieving objectives.
In direct contrast, a negative risk culture not only lacks the forementioned characteristics, but may typically feature compliance-centric leadership/governance and resistance to change, as well as a lack of organisational risk intelligence and limitations in communication and collaboration across business units. With this in mind, let’s revisit the previous statements from a negative risk (or risk absent) culture perspective.
- Compliance is integrated into everything we do
- We are a compliance oriented organisation
- We employ compliance based decisions
As you can see, the differences between the two mindsets/cultures can have significantly different impacts on an organisation. One will foster and facilitate issue management and opportunity-centrism, whilst the alternate will promote issue containment and compliance-centrism. Where the former will better equip an organisation with the adaptability to function within a VUCAD environment, the latter will lack the adaptability required.
So, to return to our starting point – asking as to why a positive risk culture is so important – it comes down to the mindset that it engenders, namely one which is not only adaptable, but one which is also more inclined to not only consider threats, but also opportunities, as well as associated strengths and weaknesses.
So, how can organisations develop a positive risk culture?
Developing and maintaining a positive risk culture is an integrated process that needs to take into account a number of elements, both in terms of task and process. Although not a “magic silver bullet”, this website is dedicated to establishing and maintaining a positive risk management culture within organisations, providing the means by which organisations can evaluate their current state, as well as providing practical guidance as to how the same can then work to facilitate the development and maintenance of a more robust, positive risk culture.
