Do you have a robust risk culture?

July 2016

A thorough and honest answer to this question is critical for not only financial services organisations but all public, private, government and not-for-profit organisations.

Greg Medcraft, ASIC Chairman, fired up the debate recently with a speech he gave to the Thomson Reuters 4th Annual Australian Regulatory Summit titled "Tone from the top: influencing conduct and culture" in Sydney on 21 June, 2016. A copy of his speech is included on the ASIC website and it's worth reading.

There was an outcry from some in the director community who interpreted his speech as ASIC wanting to regulate culture. But Medcraft explicitly said in his speech that ASIC has no intention of regulating culture by black-letter law.

Medcraft makes the point, "it has been said that 'culture in the new black'. It is on the minds of governments, regulators, boards and senior executives, and customers globally." Insync has seen a significant increase in the interest of boards, CEOs and senior executives in culture, particularly because it is now seen as such an important enabler of strategy.

What is culture and how is it created?

Organisational culture is often defined as "the way we do things around here". All organisations have a dominant culture and a distinctive way of doing things whether they realise it or not. Certain ways of doing things become acceptable and other ways of doing things just don't seem right or appropriate even though they might seem quite appropriate at another organisation or under other circumstances.

Cultures are shaped by the employees of an organisation and significantly impacted by its CEO and senior leaders. What a CEO or senior leader does and what they allow normally becomes acceptable. What they forbid or discourage normally becomes unacceptable. Their ongoing messaging especially about what is important and their priorities also has a significant impact especially when their words are supported by consistent deeds and actions.

Where actions are contrary to the messaging it is normally the actions that are modelled institutionalised by others into what is considered acceptable and what becomes the norm. If actions are regularly inconsistent with words cynicism will grow and a culture of mistrust will begin to form.

What you prioritise, reward and recognise has a significant impact on your culture. If you simply reward employees for producing or selling higher numbers don't be surprised if quality drops. If you only reward individual performance don't be surprised if collaboration is stifled. If you say you have a culture of excellence, among other things, you will need to reward and recognise quality as well as customer satisfaction or advocacy. Your reward, recognition and measurement systems need to support the culture you intend to form and shape.

Your culture is also influenced by your structure, systems and processes. If you have a very hierarchical, top-down structure you'll find it more difficult to build a culture of engagement and empowerment. If you use many legacy IT systems that were designed primarily from an accounting perspective those systems are unlikely to support a customer centric culture. Supplementary systems and processes that support a focus on the customer will be needed if you intend to form and shape a customer centric culture.

Values and behaviours must be well embedded to drive culture

Many organisations have adopted around five or six values as being important to their success. Many also link those values to the behaviours that they expect from their employees in relation to each of those values. Some go further and identify the behaviours that aren't accepted or supported in relation to each value.

But how many organisations can say that their values are so deeply embedded into their DNA that those values become part of the organisation's way of life? Not many! Too many announce their values and rarely refer to them again. Most don't include them as part of their employee induction or build them into their recognition or reward systems.

Also many organisations haven't adopted a set of values that will support their execution of strategy.

If partnering with others is crucial to the execution of your strategy you will need to build a collaborative culture. If you are up against some behemoth competitors, agility might be an important differentiator that will give you a competitive advantage. This requires a lot of careful thought. Just as you don't want to let your culture just drift along nor do you want to integrate values into your culture that will act as a hand-brake on your strategy.

When finalising your values ask yourself these important questions:

  • Do we have an appropriate balance of values that drive the performance of our organisation and those that help form and shape its character?
  • Which values will ensure you develop a robust risk culture?
  • Do our values apply equally well internally and externally?

Then develop a plan to deeply embed your chosen values and the related behaviours deeply into your culture and DNA.

What is risk culture and how is it measured?

All organisations have a dominant culture whether they realise it or not. You can't analyse an organisation's risk culture without understanding its overall culture just like you can't understand its performance culture or its culture of caring without also understanding its overall culture. And there are always trade-offs when it comes to culture. For example your organisation can't be predominantly internally and predominantly externally focused at the same time just as it can't be uniform and diverse at the same time.

Understanding your overall culture will help you understand your risk culture. For example, if you have a culture that assigns blame when things go wrong or if employees don't value accountability then you'll struggle to build a robust risk culture. If your culture prioritises harmony over hard conversations or if you value rules over principles you'll also struggle.

To understand your risk culture you need to dig a bit deeper. Insync uses a survey framework including leadership, behaviours, accountability and processes when measuring risk culture. Some of the things Insync asks your employees may include:

  • Does bad news and warning signs get shared promptly with more senior people?
  • Do all staff buy-in to the benefits of risk management (and not see it as owned by "management" only)?
  • Do our incentive schemes encourage inappropriate risky behaviour?
  • Do employees do the right thing even when no one is looking?
  • Is there appropriate consequence management for non-compliance?

And be sure you understand whether the gaps between your current culture and your desired culture are uniform or whether there are any isolated areas that pose an extra risk to your organisation.

Insync has also developed an innovative way to shine a light on the cultural change that is desired to support a robust risk culture and the execution of your strategy based on the views of your employees. Here is a hypothetical example of the cultural change that might be required as revealed by results from using Insync's cultural trade-offs survey. The results shown are fictitious.

Culture trade offs

Insync's cultural trade-offs survey can be used on a stand-alone basis or as a module of your employee survey. Impetus for change can then be grounded in strong evidence and the engagement of all employees.

How do you change and if necessary, transform your culture?

Cultures are very difficult to change but it can be done. If transformation is required it should be treated just like any other major project with all the appropriate leadership, focus, resourcing, detailed project planning and follow through. New systems, different structures and new communication channels may be needed to commence and sustain the transformation.

Expect backlash along the way as some employees try to hold on to the past. Transformation efforts fall down when they lack commitment from the top team and a sustained change effort. It can take just one or two cynics or passive members of a leadership team to derail and undermine the rest of the team's efforts. Employees will notice and take advantage of any lack of commitment.

Many transformation efforts require a change at the top as those at the top are normally invested in the status quo and what was. It is very hard for an existing CEO and leadership team to bring about significant changes to what has been. Take for example a CEO and leadership team that has not developed a culture of accountability or a high bar for performance. Even if the CEO and top team tried to change their actions and messaging, their employees would probably see their new words and previous actions as incongruent and are likely to have a low level of trust and some cynicism in relation to their desired "new" direction. This in itself would almost certainly undermine their efforts.

Change also takes time and a realistic plan should be developed for the new preferred state to become a new way of life for the organisation. Significant change can be effected within twelve months even in large organisations if a concerted, determined and shared commitment is applied. Engaging employees in the process and explaining why the change needs to occur and how it will support the organisation's strategy will help grease the wheels as the change is implemented. Employee acceptance and support for the change will help ensure the ideal state becomes the organisation's new way of life much sooner than it would have been otherwise.

This article includes some extracts from the following related articles:

Other related articles: