AS/NZS 4360 defines risk management as ‘the culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse consequences.’ This definition highlights the need to embed risk awareness, and appropriate risk appetite, throughout an organization; not just in terms of policies and procedures, but at the level of core values, attitudes and behavioral norms.
The Cranfield School of Management (Supply Chain Vulnerability) identifies four key variables that foster success in supply chain vulnerability management, continuity management and resilience.
Risk awareness among top management
• Risk awareness as an integrated part of supply chain management
• An understanding by each employee of his or her role in risk awareness
• An understanding that changes in business strategies change supply chain risk profiles (and therefore that risk awareness must be constantly updated)
Organization culture has been defined as ‘a pattern of beliefs and exceptions shared by the organization’s members, and which produce norms which powerfully shape the behavior of individuals and groups in the organization’ (H Schwartz and S Davis, ‘Matching corporate culture and business strategy’, in Organizational Dynamics). It has been summed up as ‘the way we do things around here’ (Edgar H Schein, Organizational Culture and Leadership).
Johnson, Scholes and Whittington (Exploring Corporate Strategy) use the ‘cultural web’ as a way of representing ‘the taken-for-granted assumptions, or paradigm, of an organization, and third behavioral manifestations of organizational culture:
Source: Johnson and Scholes (1988)
The elements of the web can be used as a framework to analyze and manage organizational culture in a wide range of settings. (Note that all the elements are interlinked: any one can influence tee others to change the culture.)
• The paradigm may include core values and assumptions about risk and risk-taking, risk appetite, innovation, entrepreneurship or, on the other end of the scale, duty of care, reliability, safety, stakeholder protection and so on.
• Stories from the ‘mythology of the organization: tales of past successes or failures, disasters or rescues may shape the risk culture by typifying and reinforcing the perception that risk-taking behaviors bring dangers or rewards.
• Routines include formal procedures for risk assessment and management, but also informal norms and shortcuts developed in
practice (which may by-pass risk management rules and safety procedures.) Rituals are more symbolic behaviors: an organization may, for example, annually commemorate disasters, or include safety and risk warnings in weekly briefings or project team formations.
• Control systems refer to a wide range of ways in which behavior is controlled in organizations, a risk aware culture will be reinforced by relevant policies, procedures and rules; staff training, monitoring and supervision; rewards and sanctions; and mechanisms enforcing risk-managed behavior (such as safety, guards on machines, or built in authorization requirements for procurements).
• Organizational structure for risk management may include: allocated risk management roles and responsibilities; governance mechanisms such as division of duties, authorization and approval requirements, and supervision; escalation routes (for referring risks upwards); communication channels for risk information sharing; and so on.
• Power structures refer to how power is distributed; whether it is based on formal authority, charismatic leadership or respect for expertise, say; and who the influential individuals and groups are. An organization’s risk culture will be created by informal ‘influencers’, not just the application of formal top-down authority. Such individuals and teams must be co-opted as risk champions to drive the organization’s desired risk values otherwise, their influence may be used to undermine formal risk initiatives and messages.
• Symbols are any objects which take on symbolic value within the organization. An organization that has its logo a pair of dice, for example, would be expressing a risk-enthusiastic culture, while an organization whose employee awards represent a ‘safe pair of hands’ would be expressing a culture of risk awareness, safety and reliability.
Creating the Desired Risk Culture
Cultures which are dysfunctional risk-taking or dysfunctional risk-averse (perhaps because the culture has failed to adapt to the changing risk profile of the organization) can be changed. The key tools of cultural change include the following.
• Consistent expression and modeling of the new values by senior management (from the top down), leaders and influencers (who may need to be co-opted to the initiative by those in authority)
• Changing underlying values and beliefs, through communication, education and involvement of employees in discussing the need for new ideas and behaviors: spreading new values and beliefs, and encouraging employees to ‘own’ them (through incentives, co-opting people to teach others, getting1employees involved in risk ‘circles’ anti suggestion schemes, and so on); and reinforcing the change (through praise, recognition and rewards)
• Embedding desired attitudes and behaviors in policies, procedures, rules, systems, employee communications, management style and soon so that they become ‘business as usual’, and are supported by all necessary information, resources and controls.
• Using human resource management mechanisms to reinforce the changes: making the new values and behaviors criteria for recruitment and selection employee appraisal and reward including them in competency profiles and earning needs assessments for training and development planning, implementing education, training and coaching; applying disciplinary action, sanctions and penalties where required; and so on. These mechanisms are important because the organization may need to bring in new people who will ‘fit’ the new culture and squeeze out those who don’t ‘fit’, if their attitudes and behavior cannot be changed.