When it comes to managing risk, the legal department should steer the ship but HR should navigate the waters. An expert shares his thoughts.
As the ongoing Royal Commission into banking highlights, there has seldom been more focus on how organisations and their employees manage risk. This means that defining, reinforcing and measuring the organisation’s risk culture is a strategic priority for senior leaders and boards.
What has generated fewer headlines is the opportunity, if not the imperative, this creates for HR leaders. As the function that traditionally “owns” culture, HR leaders have a vital role to play both in setting the strategic direction and helping their organisations understand and build a strong risk culture.
And don’t think this issue is limited to the banking industry. While much of the current focus is on financial services, all sectors and functions face the same challenges: safeguarding customer, patient or citizens’ data; managing the reputational risks posed by social media; ensuring the financial reports are error-free and maintaining high integrity among employees.
No organisation is immune, and all need a robust and proactive approach in place.
Debunking the myths around risk culture
Culture famously eats strategy for breakfast. It’s an intangible concept and perhaps one of the most frequently abused words in the business dictionary. While culture may be tritely defined as “how we do things around here” – and everyone has an opinion on it – the topic is still a subject of much confusion and consulting income.
This is doubly true of “risk culture”, a coupling that takes a soft and fluffy concept – culture – and links it to risk, which often involves lawyers, regulators and sometimes prison time. Before we look at some of the key principles underpinning a strong risk culture, let’s establish some basic facts:
Risk culture is not separate to organisational culture: The latter drivers the organisation’s approach to the former. APRA summarised it elegantly when they wrote that, “risk culture is not separate to organisational culture, but reflects the influence of organisational culture on how risks are managed”.
Culture is an output: “Culture” is not something that exists independently of other activity within an organisation. It’s the environment and behaviours you create as a result of the practices, policies and behaviours you define and reinforce; if you hire criminals and incentivise conflict then you will create a culture of violence.
Culture can be measured: There are a large number of qualitative and hard quantitative measures that can be used to do this. An employee survey is the most obvious “soft” measure, but there are a wide range of more quantitative measures that should be considered, including the increasing use of technology to measure the language, tone and volume of communication within organisations and networks.
Risk is good: Nothing is achieved without taking risks. We don’t want to prevent all risks, we want employees to understand and manage them. Too often a consequence of a focus on risk culture is that employees believe they should remove all risk from their work. This threatens innovation and can create a climate that discourages opportunity seeking and diversity of thought.
The tools to make it happen
So, how do HR leaders build a strong risk culture? Overwhelmingly, much of the focus is on measuring employee attitudes and responses to culture, usually via surveys and interviews. But this narrows the scope significantly, and just as importantly, does little to answer the first question when the survey results are shared; “so what do we do?”
There are five principles that HR leaders should adopt when strengthening risk culture:
The customer must be at the heart of everything
This is vital. The work of Adam Grant, a management professor at Wharton, has shown how a stronger connection to the customer drives engagement and a sense of purpose. This is crucial in helping employees understand the importance and consequences of effective risk management.
Focus on the inputs
As above, culture is an output. A robust approach to strengthening or changing the culture must involve focusing on the inputs. Don’t just measure employee attitudes, but tackle the policies and activity – inputs such as recruitment, performance management, leadership development – that shape and define your organisational culture.
Take a holistic approach
It is vital that you look at the end-to-end employee experience and ensure all activity is aligned and consistent. You can have the most robust performance management process, but if your leadership development programs are not driving the same focus on risk management then the impact is massively reduced. From your external branding to candidates through to your exit surveys, the approach should be consistent.
Align to all your cultures
Different teams and roles have different cultures that require different risk appetites. One size does not fit all. “Failing fast and breaking things” may be an essential mindset for your software developers, but it can be a lethal, if not illegal, approach in heavily regulated roles or functions.
Integrate into your current activity
Having a stand-alone risk survey, training course or performance appraisal is not the way forward. It may feel like this creates a clear emphasis on risk culture, but it is most likely inefficient and duplicates other activity. More importantly, it sends the message that risk management is a separate activity when it should be implicit in everything your employees do.
The current focus on risk culture in not a passing fad. HR leaders have a critical role to play in helping their stakeholders understand key concepts and the levers that shape organisational culture – and in taking the lead in building and measuring a strong risk culture across their organisation.
Murray Priestman is the founder and principal of Priestman Associates. He was previously global head of talent for Macquarie Group, and worked as a management consultant with KPMG in Europe and Australia.
Learn how to address complex ethical issues in the workplace as part of your HR role, with the AHRI short course ‘Workplace ethics’.
Encourage dissent. That’s the best way encourage employees to take risks and challenge the existing system. This should be a part of the appraisal system. But then the upper management may resent it. And if this happens HR always listens to upper management. Then risk taking is taken down the cul-de-sac and gently choked to death.
Isaac, I absolutely agree. Encouraging dissent – creating an environment where employees feel comfortable speaking up and challenging – is vital. This can be embedded and reinforced far more broadly than just through the appraisal system (applying the “holistic” principle in the article); organisations can recruit for this quality, leadership development can focus on creating a culture of psychological safety, engagement surveys can measure employee attitudes, etc. Focusing on the end-to-end employee lifecycle and ensuring all activity is aligned is key.
Absolutely. HR Teams should be driving Organisational Risk campaigns that look beyond the regulator and address business risk associated with litigation and evidence gathering to demonstrate a proactive commitment to on-going awareness initiatives
If you tie compensation to customer satisfaction w/ customer rating feedback you will have good actors in your workspace when it comes to client experience. You won’t have to have such a hawk like eye on your employees and will optimize for the customer to be at the heart of everything. Too much focus on the inputs i.e. Leadership lead development / performance management and top down leadership strategies are easily manipulated and corrupted by BAD and DECEPTIVE people within your company John