Building Risk Culture is a two legged beast
RISKVIEWS is reading about Business Organizational Culture – particularly the Corporate Culture Survival Guide by Edgar Shein.
Shein suggests that culture has three aspects: Artifacts, Espoused Values and Underlying Assumptions. Artifacts are what you can easily see happening. Espoused Values are public statements about what is wanted, things like policies and mission statements. Underlying Assumptions are the part of culture that is difficult (not impossible) to discern and very time consuming to change. These are the things that really determine the choices and decisions of the firm.
Shein suggests that culture is formed as a new company has the successes that cause it to survive and thrive. The initial culture is a combination of the vision and rules of the founder along with the learned values from those early experiences.
He says that culture change comes about when the Underlying Assumptions no longer seem to work and people can feel motivated to learn new approaches that if they succeed, become the new Underlying Assumptions.
To me, RISK seems particularly difficult for this process. Most new ventures are founded with a willful disregard for RISK. So it is relatively rare for a newer firm to have a healthy respect for risk.
In addition, the result of good risk management is a reduction in the likelihood of the experience of undesirable adverse events (UAEs). That is also the outcome from LUCK. In both cases, the indication of good results is a LACK of bad experience.
The Risk Culture develops as the firm experiences adverse outcomes and then only if they learn that a risk management process can reduce the likelihood that they will experience UAEs. Otherwise, the Underlying Assumption will be that whatever the firm is doing is just right to avoid those UAEs. Sort of like the sports star who failed to shave before the game where they scored 2 goals, so they forever after deliberately do not shave on the day of a game.
Building or Changing a Risk Culture, in my opinion, involves teaching the idea that a deliberate and comprehensive risk management process can accomplish the reduction in likelihood of UAEs.
The students may be very responsive after a major adverse experience. Otherwise, the Risk Culture Builder needs to depend on stories of other companies that succeed and fail to avoid the major adverse experiences.
The Risk Culture Builder must be prepared to turn every experience of the organization and of other organizations into stories that support the formation of a positive Risk Culture. But it takes an extremely good story teller to create motivation to adopt a healthy Risk Culture from stories of other companies.
Risk Management is actually more about managing tendencies than actual management of UAEs. Which is one of the things that makes Risk Culture Building particularly difficult. Most people will judge the Risk Culture successes in terms of the actual losses experienced. Meaning, if there are losses, then risk management is not worth the trouble.
Risk Management will only result in near zero losses if the risk tolerance is near zero. And then only if the risk manager is given the nearly unlimited budget that it takes to actually eliminate most risk.
Instead, what can be expected from Risk Management, that is from a tendency to reduce frequency and/or severity of UAEs is loss experience that is better than those who do not practice risk management on the average, over time, when adjusted for differences in the inherent risk profile of the different organizations.
In building and reinforcing the risk culture, the Risk Culture Builder needs to be ready to explain how well (or poorly) that the company is succeeding with that.
Because ultimately, those stories, the stories of how the risk management program is succeeding or how the lack of risk management has failed are an extremely important leg of the risk culture building process.
The other leg (risk management culture is a two legged beast), is the story of how the risk management program needs to work to support achievement of the risk appetite. That story needs to be told, not in terms of explaining the parts of a risk management framework, but instead that story is about the outcomes to be expected.
So for both legs, or both stories, the Risk Culture Builder needs to have a clear idea in mind of how the results of risk management will be demonstrable.
And that is another story.