Risk management is evolving. It is increasingly accepted that the old notions of control are incomplete. More and more, companies are being told they must actively manage their cultures, specifically their risk cultures. The prize is a more resilient, higher performance organisation.
What is culture? For many, it represents some sense of “the way we do things around here”. A crucial factor often missed is that it is not just about how one or two people act; it is the emergent property arising from how everyone acts. We cannot directly act on culture or choose to have a good one, but have to influence our values and behaviours so that the resulting culture we observe is what we wanted.
Does culture matter? Traditional management thinking encourages us to view our companies as machines, mechanical devices that can be monitored and brought back into line if they deviate from expected behaviour. In such a company, culture arguably plays a “nice to have” role because everything can be controlled anyway.
But companies are not like those simple machines. They are complex ecosystems where people go about their daily tasks, interacting with countless others inside and outside the company. In the real world, people are faced with situations every day that don’t quite match the process manual, and they will use their initiative and try to find a way through to a successful outcome. Their judgments will reflect their values, so the question is whether those values are consistent with the culture your board wants to see?
We have to retain flexibility and learning as core skills, with the certain knowledge that things around us will not always go to plan
For each activity that the company carries out, a number of participants will be involved. The nature of each person’s contribution will be different and it is often necessary for different behaviours and attitudes to apply in order for a successful outcome to be delivered.
For example, we would expect our marketing and design people to be much more unbounded and free-thinking than the person with whom we are entrusting quality control or safety, where an eye for process and detail is clearly an advantage. We also expect some activities to require strict adherence to the rules, whereas others inherently require more creative and reactive attitudes. So companies don’t have one culture; they are home to a number of interacting subcultures.
As our people interact they move the company forward a step at a time. The sequence of steps involves many players in different areas within the business and outside it. Each step puts the company on an emerging path, one that leads to particular sets of possible outcomes, while making it impossible to reach others.
In a world such as this, the notion of control, therefore, requires modification. We can no longer deliver the outcome we want with certainty, but can only choose our next action. Of course, we would like to select an action that will help take the company towards a successful outcome, but we simply don’t know for sure which one that is. We have to retain flexibility and learning as core skills, with the certain knowledge that things around us will not always go to plan.
In fact, in situations of complexity, where the environment is dynamic and changing, a model of centralised control is far from optimal and often leads to unintended outcomes. The more appropriate approach to guiding progress here turns out to be empowering local experts to make localised decisions, with the proviso that they are aware of what is happening in the wider overall context.
Culture is a much more important feature of our business than previously thought – an integral part of our control framework
Organising in this way, we need to empower our experts to make local decisions in the best interests of the whole, and are much more concerned about whether their attitudes and behaviours are consistent with what we would like. We are trusting them “to do the right thing” rather than directly controlling what they do. There will be some things we are so keen to avoid that we will implement very strict controls, making it hard to do the wrong thing, but we are largely going to be using our values to guide behaviours.
There is a further dimension to consider. We need to recognise there is more than one valid perspective to be heard when deciding a course of action. Michael Thompson’s work on the cultural theory of risk, for example, shows that four such views are always present.
In conducting our work we want to ensure each of these views is considered and debated, the surprising outcome being that this does not result in a compromise, suboptimal for all, but rather a solution which actually works better for all parties. Creating a culture where this type of debate is acceptable is, therefore, an important, and often overlooked, part of the governance framework.
So culture is actually a much more important feature of our business than previously thought, not just a “nice to have” after all, but an integral part of our control framework. When the board sets the risk appetite, it is establishing the tone for how business should be done. It must be clear what the objectives are and how they feel about the uncertainties associated with their delivery.
By describing the types of risks that are to be actively sought, in return for a reward, those that are to be accepted and those that are to be avoided, the board is providing a set of guiding principles staff can use when making daily decisions about which actions to take.
Given the complexity of modern business, companies must acknowledge they cannot be controlled using traditional command structures that focus on inputs. Decentralised control is the new paradigm because it allows experts to make local decisions based on a view of the big picture. Today’s control frameworks are made up of sets of subcultures, and companies that adapt to this reality will be more resilient and successful.
For more information please visit uk.milliman.com