Risk management and the impact of culture

With so many examples of poor corporate behaviour and poor governance, it seemed a good time to address why getting the culture of an organisation right was so important. The CRSA (Control and Risk Self Assessment) Forum is an independent group ofenthusiastic practitioners and academics led by SAMI Fellow Professor Paul Moxeyand it used its recent meeting to explore culture and governance.

The day was kicked off by Simon Lowe of Grant Thornton describing the research they had done on culture and its role in effective governance, and their approach to auditing culture. He described how compliance with the UK Corporate Governance (UKCG) Code was improving, but it was now apparent that assessment needed to go beyond compliance to the application of the principles.

Good governance needs a proper understanding of risk – “the board should carry out a robust assessment of the company’s emerging and principal risks” (UKCG). Clearly technology is one major area of risk. However,from their analysis of company accounts, Grant Thornton found that, in several sectors – including,astonishingly the financial sector – many companies had not identified technology as a risk. And, of those that had, fewer than 30% had a board member with technology expertise.

Annual reports did contain references to corporate culture, but few CEOs (29%) referred to what they might do about it. Monitoring health and safety and running some employee engagement surveys seemed to be as far as it went. One or two examples of how culture might be captured in a “dashboard” were shown.

Then Simon’s colleague, Karen Brice, led an exercise on producing metrics for culture. She proposed a 6-factor “culture web” including such things as “rituals and routines”, “control systems” and “power structures”. The point of the exercise was not so much the absolute values assigned but the different perspectives different people’s assessments revealed.

The session generated an intense and lively discussion.  There was some scepticism as to whether board members really wanted to get to grip with risks, preferring instead “plausible deniability” – several of the well-known governance disasters were explored. The challenges of creating common cultures following mergers were raised (an example being AT&T and HBO). And the idea of making the challenge a positive by promoting “Boardroom Brilliance” was also proposed.

The next session led by Peter Hanley and Colin Perris talked about “risk exploitation” and the work they were doing to formalise a process – even an app – to help with that. Their basic tenet was that a risk management approach tended to try to limit the forces pulling the organisation away from its goals. Instead what was needed was a focus on achieving the positive outcome. They too led us in an exercise, where we role-played being board members of a social housing organisation facing the post-Grenfell worldThe exercise highlighted how easily one fell into considering risk as negative, rather then driving towards a positive. A key idea of a “Golden hour” emerged – pre-prepared mitigation strategies that would enable boards to react quickly to major challenges.

Later in the day SAMI Associate Garry Honey discussed creating a positive risk cultureDifferent people, even within the same organisation, will have different risk appetites, often depending on their role or inclination. A CFO is likely to be risk averse, while a hedge fund manager sees risk as an opportunity for higher profit. Garry explored the known/knowns and unknown/unknowns matrix, showing how best to expand the former area. He then went on to discuss reputation management, arguing the need for prevention rather than cure. Ultimately, he too was arguing that coping with risk was all about culture rather than process.

The day ended with a session by SAMI Emeritus Fellow Gill Ringland talking about the “Ethical Reading” (the place not the activity!) project she is involved with. Again the point was that compliance is not enough. In multi-cultural and fragmented societies, traditional norms and structures, and the support of the community can break down. So there needs to be a strong lead focus on common ethical principles, such as respect, co-operation, collaboration, integrity, fairness and responsibility. Happily,she had found many willing volunteers and champions to participate in promoting these ideas – see #itstartswithme.  Her goal is to spread these ideas out into a much wider “Ethical cities” programme.

All in all it was a very inspiring day with loads of interaction and involvement of the audience. The value of scenarios in the consideration of risk came out strongly. One can but hope that the days of truly valuing and understanding the role of culture and ethics in organisational decision-making is coming that much closer.

Written by Huw Williams, SAMI Principal

The views expressed are those of the author and not necessarily of SAMI Consulting.

SAMI Consulting was founded in 1989 by Shell and St Andrews University. They have undertaken scenario planning projects for a wide range of UK and international organisations. Their core skill is providing the link between futures research and strategy.

If you enjoyed this blog from SAMI Consulting, the home of scenario planning, please sign up for our monthly newsletter at newreader@samiconsulting.co.uk and/or browse our website at https://www.samiconsulting.co.uk

Leave a reply

Your email address will not be published. Required fields are marked *