“Risk Culture”, with its implications of a deeply entrenched set of influential and effective risk attitudes, has an obvious appeal as a vehicle for risk-management, potentially opening doors to new possibilities and solutions. The practical difficulties associated with this approach arise from uncertainties concerning the definition of culture and, as a consequence, uncertainties about its mechanisms, its constituent parts, or its processes. When it comes to action, intervention or influence, it is difficult to know where the levers are, which to pull or how to get to grips with culture. This dilemma was summed up by the late Professor Peter Drucker, influential management guru and “social ecologist” who argued that; ’If it can’t be measured it can’t be managed’.
Attempts to assess organisational culture usually rely on survey information from across the target population, or a sample of it. The problem with pooling data in this way is that, whilst general trends may emerge, the rich detail is easily lost in the process. The challenge in trying to make sense of large amounts of data is to avoid averaging out the very details that may best characterise particular divisions, departments or the organisation as a whole.
Against this background, approaching risk culture from the perspective of the individuals of which it is composed has some particular advantages.
THE PEOPLE MAKE THE PLACE
Organisational culture is, at the micro level, inevitably tied to the individuals of which that culture is composed. All models of organisational culture recognise this, either explicitly or implicitly. Schneider’s (1987) ‘the people make the place’ theory of culture is the clearest example of this approach and it has been very influential. He describes a broad mechanism that links individuals to culture in his ‘Attraction, Selection, Attrition hypothesis’ (ASA). In Schneider’s view, as the culture of the organisation becomes distinctive, it attracts like minded people (attraction), the selection processes increasingly favour those that ‘fit’ (selection) and appointees that don’t fit leave or are fired (attrition). This approach has some synergy with the Culture Theory of Risk described in the opening chapter, in that the culture is determined by the nature of its membership, broadly grouped, in that case, according to the dispositions and perceptions of the Four Rationalities. The most obvious omission from Schneider’s, ASA model is that it ignores the ‘fly wheel’ effect of culture and the time-lag that we know as ‘tradition’. A modified definition might be ‘the people, past and present, make the place’. Culture is always a mixture of the influence of its current membership combined with the legacy of the past.
People naturally vary in all sorts of ways and this includes their predisposition towards risk. Two aspects of personality contribute to this; firstly, the extent to which they are either spontaneous and challenge convention or are organised, systematic and compliant. Secondly, they may be cautious, pessimistic and anxious, or optimistic, resilient and fearless. The Risk Type Compass® is a recently developed tool based on consensual, well researched and validated personality assessment practices. Its basic rationale is that, with regard to risk taking, individual differences are deeply anchored in the personality. This doesn’t make their every act precisely predictable, but Risk Type does have a pervasive and persistent influence. In culture building terms, the balance of Risk Types and their representation either across the organisation or within departments will be discernable.
The Risk Type Compass® places individuals in to one of eight Risk Types that range in levels of risk tolerance and have a fundamental influence on the way an individual is likely to perceive and handle risk and make decisions. For illustrative purposes, the eight Risk Types can be characterised broadly as follows:
Typical group; about 10% of the population scores close to the mean on each of the scales under pinning Risk Type and cannot usefully be differentiated. Such people will fall into the Average group for risk tolerance.
The degree to which an individual represents their Risk Type is demonstrated by the strength of their Risk Type. There are 5 levels of strength, ranging from Very Mild to Very Strong. The nearer the marker is to the outer edge of the compass graphic, the stronger the Risk Type and the more likely it is to influence the Risk Culture. Although the relevance of the Risk Type approach can be simplified in terms of ‘the whole is the sum of its constituent parts’ it is important to highlight that certain individuals will have greater influence on a group or organisation than others, particularly if their role is more senior or prominent.
THE BENEFITS OF A TYPOLOGY
The great advantage of approaching culture from the perspective of the constituent individuals is that Risk Type is measurable in a way that almost nothing else associated with risk culture is. We refer above to the difficulties arising from loss of detail when survey data is aggregated. Approaching risk culture through Risk Type ensures that this framework is retained, offering some resistance to the levelling out processes. From the Risk Type perspective, you can view the risk landscape in a very tangible way. Across the organisation, functions, or levels of management or within sections, departments or teams, you know where the different Risk Types are most concentrated, or where there is underrepresentation or complete absence of a Risk Type. In risk management and organisational development terms this is powerful information, a point expanded in the APPLICATIONS AND INTERVENTIONS Section below.
FROM RISK TYPE TO RISK CULTURE
RISK CULTURE MAPPING
Number and balance of Risk Types and their distribution across the organisation or within departments will inevitably influence the culture of the organisation. As a consequence, in survey mode, the Risk Type Compass® can provide an overview of the risk landscape and the prevailing risk culture. This can be conveyed graphically in a number of different ways offering the Risk Manager different and complementary perspectives.
We have used three different approaches to mapping the composites of group data. All three mapping processes are available from any Risk Type Culture survey. We refer to these approaches as A) Scattergram, B) Risk Type Influence and C) Spidergram. A comprehensive survey report might use any combination or all three and at different levels of segmentation according to the structure of the organisation and the purpose of the analysis.
A) SCATTERGRAM (RISK TYPE GROUP)
This is the simplest approach but one that benefits from 100% retention of the granulation of the original data; nothing is lost. Each of the individual Risk Type Compass assessments is plotted across departments, job levels, function, seniority, division or other group according to the desired segmentation planned for the project. Analysis of these findings would focus on the degree of convergence and diversity, identification of factions and outliers and the overall balance of Risk Types at the group level as well as for the aggregated data for the total sample. The balance and skew of the scattergram is considered against the expectations for each sub-group. For example, more risk-takers may be anticipated in the research and development team or marketing team as compared to the internal audit or risk management teams. ‘Group think’ might be a concern as a consequence of too many similarly-minded individuals occurring in the boardroom or lack of Adventurous Types might be a concern in the business units. Attitudes and behaviours that seem potentially detrimental to the company can be investigated rather than going unchallenged and reinforced. This kind of analysis illustrates the point by Peter Drucker referenced above; ‘If you can measure it, you can manage it’.
Interpretations and inferences for a risk management strategy can be made from convergence, divergence, and absence of Risk Types.
B) RISK TYPE INFLUENCE
This approach recognises the differences in the influence an individual will contribute to the overall risk culture due to the strength of their Risk Type.
Assessing the overall influence of each Risk Type on the team dynamic involves looking at:
1) Proportion of each Risk Type in the team
2) The strength of Risk Type characteristics
3) The combined impact of prevalence and strength of each Risk Type
The larger the circle in the diagram, the stronger the degree of influence of that Risk Type on the group.
In this form the graphic is objectively and arithmetically derived from test scores. However, additional weightings can be introduced to reflect different ‘what if’ scenarios. Various demographic factors can be investigated in this way considering, for example, level of qualification, status, years of experience or other socio-metric data.
C) SPIDERGRAM (RISK CULTURE)
The focus in this approach is purely on the percentage of each Risk Type in the group or organisation. As with any of these approaches, a nested series reflecting the organisational structure could drill down to focus on different departments, functions, levels or professional specialisms.
These mapping devices can also be supplemented by a composite Risk Tolerance Index (RTi) scale. This overall metric summarises the propensity for risk taking of the team, department, strata, or section and complements the more detailed Risk Type graphics. It can also give a measure of the overall risk tolerance of the organisation and inferences regarding overall risk culture can then be drawn from this.
Understanding how an employee perceives risk, thinks about risk and responds to risk (i.e. their Risk Type), is very beneficial when developing and implementing a risk management strategy. The Risk Type of the risk manager is likely to be quite different to that of a senior executive or board member, the sales director or even the auditing and compliance teams. So it is necessary to consider the Risk Type bias influencing the approach of the risk manager as well as respecting the diversity of the individuals towards whom a risk management strategy is directed. Self-awareness is as valuable to risk managers as it is desirable in those at the work-face.
PRACTICALITIES: APPLICATIONS AND INTERVENTIONS
We consider here two distinctly different risk culture development models. The first considers the utility of assessment of Risk Type within the traditional ‘survey based’ culture change project. In this model, the Risk Type Compass questionnaire provides the data, taking the place of a more conventional set of survey questions. In the second, we propose a ‘cascade’ project model; in essence a series of Risk Type team development events that start in the boardroom and then work down through successive management levels of the organisation. In both cases, the mechanisms for change are increased understanding and awareness about individual differences in risk disposition and their implications at personal and group levels.
THE SURVEY STYLE MODEL
Because the approach advocated here accumulates detailed information at the level of the individual and also describes risk culture using the same Risk Type framework, a risk culture project has multiple potential intervention strategy options. A number of possibilities are briefly outlined below:
a) Profiling and mapping the total organisational risk culture
Using total or significant sample data, map the organisation in terms of propensity for risk (RTi) and prevalence and influence of Risk Type.
b) Segmenting team/ departmental/ group risk dynamics
Focusing on the segments that are meaningful to the organisation, (departments, functions, divisions, regions etc.) and identifying the balance in risk taking styles that best characterises that unit.
c) Mapping the ‘risk landscape’ of managed units
Reviewing the fine grain provided by Risk Type survey data to explore the prevalence of different Risk Types and where they are concentrated, dispersed or absent within the organisation.
d) Strategic planning and risk policy development
Using the Risk Type survey data, linked to performance observations, to inform discussions about the suitability (benefits or challenges) posed by the current distribution and balance of Risk Types within the organisation. And to consider what interventions might be most fruitful.
GROUP/ TEAM LEVEL:
e) Profiling and mapping the team Risk Type composition
Exploring the prevalence and balance of Risk Types within the team and considering team dynamics and dynamics in that light.
f) Reviewing team functioning in the light of Risk Type
Exploring the relationship between Risk Type composition of the team and its performance.
g) Managing the balance of risk-taking tendencies
Using the team data to explore imbalances and gaps in their Risk Type profile, seeking to improve team capability through a combination of training, recruitment or redeployment.
h) Team building
Coaching teams in dealing with the particular challenges posed by their Risk Type constitution and the challenges that they face.
i) Self-discovery and awareness of propensity for risk
Using assessments of Risk Type and risk attitudes to increase an individual’s understanding of their propensity for risk and their associated risk behaviour.
j) Coaching and self-management
Building on their awareness of their Risk Type and attitudes to risk, advise and support their development in maximising the benefits and compensating for the vulnerabilities associated with their profile.
k) Developing awareness of others
Increasing interpersonal effectiveness in dealing with other Risk Types through an improved awareness and understanding of the implications of those profiles.
A focus on Risk Type provides the opportunity to develop teams, departments and functions on the basis of risk aspects of personality. The deeply rooted nature of these differences means that any mismatch between role and propensity for risk creates demands on the individual that may not benefit them or the organisation. However, since all Risk Types have their advantages as well as their disadvantages, redeployment within the organisation could be mutually beneficial.
THE ‘CASCADE’ PROJECT MODEL
The survey model is concerned with diagnostics and characterisation of the current risk culture as a starting point for a second phase, concerned with the setting of goals and planning as a basis for future intervention. The cascade model integrates the diagnostic and planning elements of a risk culture change project with implementation.
At the boardroom level, the immediate task is to explore the balance of Risk Types amongst board members; to consider the likely impact that this particular configuration would have on the team dynamics and impact on perception of risk, willingness to take risks, inter-personal perceptions, information sharing and decision making.
Objectives are to increase understanding of the nature of risk disposition and to enhance self-awareness and group awareness; to get a picture of the distinctive risk characteristics of the board as a whole (its own risk culture), and any potential emphases or biases that might be expected, to gauge the comparative risk disposition within an industry context and its implications for the balance between current competitiveness and future security.
Looking inwards, these diagnostic explorations might inform discussions about procedures and processes of the board as well as strategic considerations about the balance of the board in terms of the risk dispositions of its members.
Looking outwards, the board would consider the likely risk management implications for the wider organisation, identifying the broad agenda for the consideration of senior managers mediated through a similar group process.
The ‘cascading’ of these processes through the organisation is guided at each level by the insights and experience of a higher level of managerial responsibility and by the broad agenda set out by the board.
There are a number of benefits of the cascade approach. Firstly, and most importantly, there is boardroom involvement, support and direction from the outset. With a 41% response, a lack of management or Board direction was identified as the biggest challenge for risk culture development in a recent IRM survey. Secondly, this is complemented by a more organic interpretation of project objectives within the realities, restraints and opportunities apparent at each level. Thirdly, there is an inherent link between the individual and their own risk issues and the organisations policies and procedures, all framed within the same Risk Type conceptual matrix and a common language.
FRIENDLY FIRE OR COLLATERAL DAMAGE
The ability to differentiate people according to their deeply rooted propensity for risk-taking throws up particular issues for the management of risk culture. Risk issues are related to function. Sales and marketing need more adventurous people while accounts and compliance need to be more risk averse. This ‘horses for courses’ view of risk cuts across the idea that people are infinitely flexible and can be dragooned to submit to a risk regime of choice, whatever that may be. By dealing holistically with culture, there must be a concern about unintended consequences. It is certainly conceivable that efforts to instate a designed risk culture could be too successful and have unintended consequences in the form of a performance decrement. The creation of a compliant or risk-averse culture that extends beyond appropriate risk issues may blunt the entrepreneurial or enterprise focus on which that organisation depends for its survival. Arguably, this has been a factor behind many headline stories involving public bodies and Health & Safety, some of which have generated wide-spread criticism of the emergency services. Risk Culture initiatives need to be targeted, controlled and managed appropriately if is to be avoided.
Businesses need to balance risk against opportunity. They need risk takers as well as more cautious types. Success in any organisation requires a balance between innovation, seeking new opportunities, steering the business through the sometimes turbulent realities of the commercial and financial worlds and, on the other hand traditionalists who cling to the methods and strategies that have been successful in the past and who are, by nature, wary of the risk inherent in any innovation or change.
The danger with the concept of Risk Culture might be that, because it aspires to pervasive influence at the organisational level, it has a generally suppressive or depressive effect. The engines that drive the organisation and keeps it moving forward may, in effect, be immobilised by the inherent conservatism of compliance.
The implication of this argument is that Risk Management has to embrace both sides of the risk/opportunity equation; addressing the challenges of Risk Culture that are out of balance in either direction; being either too risk-taking or too risk averse. This concept has been labelled ‘Positive Risk Management’.
By Grace Walsh & Geoff Trickey