As risk people, we sometimes get so focused on “risk culture” that we forget that it really is just a subset of the broader corporate culture.
In my experience, one of the most challenging parts of being a strategy and risk consultant is vague statements people will use to describe a risk.
One of the more common of these I encounter on a regular basis is “our culture is a risk.” Ugh. What am I supposed to do with this statement?
This frustration isn’t to understate the importance of culture. It’s become increasingly clear, and painfully clear for some people, that culture is the one determining factor between success and failure. A company can have all the best processes, equipment, plans, and even staff, and it won’t matter if it has a poor corporate culture.
Consequences of poor culture may be minor when taken in isolation. However, after a while, missed deadlines and other things falling through the cracks can snowball into major impacts on financial performance, reputation, and customer retention, among other impacts.
However, simply saying ‘a bad culture’ is a risk or the source of a company’s woes is too generic. When there is no context behind this statement, it is impossible for anyone – an executive, a practitioner, consultant, even a genius – to know what to do.
This is similar to saying there is ‘investment risk’ or ‘supply chain risk.’ What exactly do these mean? Are investments not diversified enough or is it the amount invested in a single investment? Are vendors located in unstable jurisdictions or simply not delivering quality product(s)?
Unlike previous articles on building risk culture and other related topics, today’s post will be focusing on how to give some context to the statement ‘our culture is a risk.’
Without this fundamental understanding, executive leaders and the broader organization will be unable to know where to focus its attention and resources.
By its very nature, culture is a nebulous terms that’s hard to define, much less pinpoint which areas to focus on. Having specific attributes of what constitutes both a good and bad culture can enable you and decision-makers to understand just exactly how culture is a risk to the organization.
One place you can start is this list of desirable and undesirable indicators found in Auditing Risk Culture: A practical guide from the Institute of Internal Auditors (IIA). Even though this list focuses on a ‘risk’ perspective, these attributes can easily apply across-the-board. Some examples of negative cultural attributes from the list include (with my paraphrasing):
- Employees believe managers and leaders don’t want to hear bad news, and that raising issues is a waste of time, or worse, can lead to retribution.
- Business units either don’t talk or otherwise have animosity toward each other.
- Lack of clarity around accountability; roles and responsibilities are not understood.
- ‘Tick-box’ approach to risk mitigations, audit findings, or strategic initiatives, coupled with the ‘this is the way we’ve always done it’ attitude.
- Undue focus on short-term profits and self-interest (this was exactly what led to the notorious Wells Fargo scandal or this banking scandal in Australia).
One common thread that flows through these examples is how each of them are driven by tone at the top. If executive leaders are not held accountable, then managers and employees will not be either. If the tone at the top implies that only good news can be shared, this mindset will flow down through the company.
Tone at the top can not only drive negative behaviors like this, it can and has to be the catalyst for improving them as well.
If employees are afraid to share input, especially if it’s not positive, company leaders can establish a value that employees should be heard and appreciated while also understanding that their advice/comments won’t always be done. This can be part of the broader mission, vision, values statement.
Many of our recent articles have focused on moving the needle of ERM from a cost-center focused on compliance to a function focused on helping the company achieve goals, deliver value, and create a competitive advantage.
Improving overall corporate culture is an invaluable part of moving this needle.
As Horst Simon, Risk Culture Builder, explains:
Companies drive value through optimizing risk management rather than a culture of compliance where people only do what is required.
Understanding exactly how “culture is a risk” in your organization is necessary for knowing which attributes of your culture need improving.
From here, specific risk statements can be developed to drive any plans or initiatives to improve the negative attributes.
Do any of these or other attributes, positive or negative, on IIA’s list sound familiar? How has your organization addressed negative behaviors so they morph into desirable behaviors?
Improving overall corporate culture is a tall order but necessary for ensuring a company can survive and thrive in today’s chaotic business environment. To share your thoughts on this extensive subject, please feel free to leave a comment below.
If you have found that your company has many of the negative attributes listed in IIA’s guide but don’t know where to start, please don’t hesitate to contact me by phone or email today to begin discussing your company’s unique needs and where to start.
