Time for HR to set the tone and lead on risk culture

(Published on HRM Online on 23.11.18)

As the ongoing Royal Commission into Banking is dramatically highlighting, there has seldom been more focus on how organisations and their employees manage risk. This means that defining, reinforcing and measuring the organisation’s risk culture is a strategic priority for senior leaders and their Boards.

What has generated fewer headlines is the opportunity, if not the imperative, this creates for HR leaders. As the function that traditionally “owns” culture, HR leaders have a vital role to play both in setting the strategic direction, and helping their organisations understand and build a strong risk culture.

And don’t think this is an issue limited to the banking industry. While much of the current global focus is on financial services, all sectors and functions face the same challenges: safeguarding customer, patient or citizens’ data; managing the reputational risks posed by social media; ensuring the financial reports are error-free; maintaining high integrity among employees. No organisation is immune, and all need a robust and proactive approach in place.

Debunking the myths around risk culture

Culture famously eats strategy for breakfast. It’s an intangible concept and perhaps one of the most frequently abused words in the business dictionary. While culture may be tritely defined as “how we do things round here” and everyone has an opinion on it, the topic is still a subject of much confusion and consulting income.

This is doubly true of “risk culture”, a coupling that takes a soft and fluffy concept – culture – and links it to one, risk, that often involves lawyers, regulators and sometimes prison sentences. So before we look at some of the key principles underpinning a strong risk culture, let’s establish some basic facts:

  1. Risk culture is not separateto organisational culture

The latter drivers the organisation’s approach to the former. APRA summarised it elegantly when they wrote that “Risk culture is not separate to organisational culture, but reflects the influence of organisational culture on how risks are managed”.

  1. Culture is an output 

“Culture” is not something that is created or exists independently of other activity within an organisation. It’s the environment and behaviours you create as a result of the practices, policies and behaviours you define and reinforce; if you hire criminals and incentivise conflict then you will create a culture of violence.

  1. Culture can be measured

There are a large number of qualitative and yes, hard quantitative measures that can be used to do this. Employee surveys are the most obvious “soft” measure used, but there are a wide range of more quantitative measures that should be considered, including the increasing use of technology to measure the language, tone and volume of communication within organisations and networks.

  1. Risk is good

Nothing is achieved without taking risks. We don’t want to prevent all risks, we want employees to understand and manage them. Too often a consequence of a focus on risk culture is that employees believe they should remove all risk from their work. This threatens innovation and can create a climate that discourages opportunity seeking and diversity of thought.

So how do HR leaders build a strong risk culture? Overwhelmingly, much of the focus is on measuring employee attitudes and responses to culture, usually via surveys and interviews. But this narrows the scope significantly, and just as importantly, does little to answer the first question when the survey results are shared; “so what do we do?”

There are five principles that HR leaders should adopt when strengthening risk culture:

The customer must be at the heart of everything

The customer voice and experience must be at the heart of your risk culture strategy. This is vital. The work of Adam Grantand others has shown how a stronger connection to the customer drives engagement and a sense of purpose. This is crucial in helping employees understand the importance and consequences of effective risk management.

Focus on the inputs

As above, culture is an output. A robust approach to strengthening or changing the culture must involve focusing on the inputs. Don’t just measure employee attitudes, but tackle the policies and activity – inputs such as recruitment, performance management, leadership development – that shape and define your organisational culture.

Take a holistic approach

It is vital that you look at the end-to-end employee experience and ensure all activity is aligned and consistent.  You can have the most robust performance management process, but if your leadership development programs are not driving the same focus on risk management then the impact is massively reduced. From your external branding to candidates through to your exit surveys, the approach should be consistent.

Align to all your cultures

Different teams and roles have different cultures and require different risk appetites. One size does not fit all. “Failing fast and breaking things” may be an essential mindset for your software developers or new product development teams, but it can be a lethal, if not illegal, approach in heavily regulated roles or functions.

Integrate into your current activity

Having a stand-alone risk survey, training course or performance appraisal is not the way forward. It may feel like this creates a clear emphasis on risk culture, but it is most likely inefficient and duplicates other activity. More importantly it sends the message that risk management is a separate activity when it should be implicit in everything your employees do.

The current focus on risk culture in not a passing fad, nor is it limited to financial services. HR leaders have a critical role to play in helping their stakeholders understand key concepts and the levers that shape organisational culture – and in taking the lead in building and measuring a strong risk culture across their organisation.

Leave a Reply