Risk Management Maturity

2. The Sum of Culture Subsets

Whether deliberately or inadvertently, many organisations explore limited aspects of organisational culture as part of regular programs of non-HR measurement or assessment.

While focusing on certain elements of culture can make a large challenge seem more manageable, often there is not enough thought given to how these insights need to come together across the enterprise and blind spots are created.

The two most common styles of measurement or assessment include focusing on mindset or behavioural norms or evaluating subcultures within selected business areas.

 

1. Risk Mindsets and Behaviours / Behavioural Risk: Organisations often use pre-set models or frameworks to filter and evaluate certain mindsets and/or behaviours.

Perceived Benefits:

  • Evaluated mindsets and behaviours can be pre-selected for efficiency
  • Employee perceptions are easily surveyed (on-line, using card-sort activities, or in focus groups)
  • Sentiment may be compared across the organisation and over time
  • Results may be reported against predefined thresholds or benchmarked

Observed Shortfalls:

  • Overlooks mindsets or behaviours not defined in pre-set models or frameworks, that may directly impact required organisational outcomes
  • Focuses on climate, without full consideration for all culture layers
  • Does not adequately evaluate technical competence or risk-taking soundness / aversion
  • Performed in isolation of organisational outcomes and therefore difficult to get to root cause

Provocation: These activities are more suited to deployment as part of a holistic culture and listening strategy led by HR/P&C functions as stewards of organisational culture.

Explainer: Assessing mindset and behaviour through models with pre-defined attributes overlooks other cultural attributes that influence risk-taking, risk management, and strategic performance. These overlooked attributes can include the ways staff reconcile conflicting messages from leaders about risk versus cost, the impact of past leaders and cultural milestones, ineffective organisational / escelation structures, or low competency levels, among others.

Focusing on mindsets and behaviours means activities typically only evaluate perceptions of risk management practices (reactive / lagging indicators), while missing factors that affect risk-taking or strategic performance (leading indicators).

 

2. Assessments by Business Area: In-depth assessments within specific business areas can provide valuable insights into the culture within a leader’s area of responsibility.

Perceived Benefits:

  • Supports the ability to evaluate more than mindset and behaviour and may canvass specific risk classes or controls of significance to the business area
  • Scarce resources can be deployed using a risk-based prioritisation approach
  • Evaluations can go deeper, getting below surface-level characteristics
  • Reporting can reference specific examples that are more relevant for that business area, improving understanding and to shape better actions

Observed Shortfalls:

  • Requires technical risk and compliance proficiency to evaluate comprehensively
  • Assessment prioritisation within available resources can mean some business areas are not evaluated with adequate frequency
  • Does not consider the influence of or interactions with other business areas or service units on the subculture being evaluated
  • Actions available within an individual leader’s authority may not affect sustainable culture change

Provocation: A program of deep-dive assessments can be beneficial but they need to consider more than just mindset and behaviour.

Explainer: Targeted assessments often rely heavily on organisational psychology disciplines, limiting their completeness. However, they can employ a broader range of disciplines and information such as the analysis of business area performance data, specific strategies / risks / compliance expectations, evaluation of other organisational characteristics, and consideration for the operating context. Triangulation of more data means the identification and monitoring of culture root cause also become clearer.

Using a risk-based prioritisation approach can improve utilisation of scarce resources, but it may mean some business areas are not evaluated for extended periods, during which time culture issues can quickly manifest or deteriorate.

It’s important to remember business areas do not operate in isolation of other parts of the organisation. Many non-financial risks like market/consumer conduct or operational resilience are affected by cross-organisational interactions and dependencies. Limiting assessment to surface level observations means the influence of service units (HR, IT, Finance, Risk…) on specific business areas is not adequately considered.

When it comes to acting, individual executives can often readily influence mindsets and behaviours of their people. But, as these are just a part of culture, resulting actions may not address underlying drivers or root cause. Individual leaders generally lack the authority to initiate changes in enterprise-wide attributes, such as governance, culture, accountability, or remuneration.

Aggregating individual assessments can shape hypotheses for the entire enterprise, however, these hypotheses must be validated before decisive action can confidently be taken.

The Flip: Instead of framing culture assessment from the perspective of behavioural frameworks, start with required or undesirable outcomes and seek to understand how organisational culture affects those outcomes.