The A-B-C of risk culture
how to be risk-mature
The Risk Doctor, Risk Doctor & Partners
Everyone knows that culture is important—but why? What about risk culture? What should you do if your project or organisation takes too much risk – or too little?
Starting from first principles, this paper unpacks the key characteristics of culture, explaining what it is – and what it is not. Culture arises from repeated Behaviour – if we do the same things repeatedly we will develop a shared approach to “how we do things around here.” But behaviour is based on our underlying Attitudes – how we think shapes our actions. This gives us the A-B-C Model of culture: Attitudes shape Behaviour, which forms Culture. There are also feedback loops as the prevailing Culture also influences how we think and act.
The A-B-C Model is also true of our approach to risk. If we want to develop a risk-mature culture, we need to behave in an appropriate way towards risk. But this in turn will be driven by our risk attitudes. This paper explores the central role of risk attitude as a key underlying driver of risk behaviour and risk culture, and shows how to change the risk culture by actively managing our attitude to risk.
The term “culture” is very widely used in a variety of senses. In common parlance it has two main application areas. The first relates to expressions of civilisation, for example in art, music, film, poetry, drama, dance, fashion, architecture etc. A second group of uses relates to growth in the natural world, derived from the Latin root cultura which means to till the soil. This is seen in the compound “-culture” words such as agriculture, horticulture, viniculture, sylviculture etc., as well as the idea of bacterial culture.
When applied more generally to how humans relate together in social systems, definitions of culture become more technical, detailed, and specific. Examples from leading theorists in the field of organisational culture include the following definitions:
- “…the collective programming of the mind which distinguishes the members of one group or category of people from another.” (Hofstede, 1980)
- “…a pattern of shared basic assumptions that the group learned as it solved its problems of external adaptation and internal integration, that has worked well enough to be considered valid and is passed on to new members as the correct way to perceive, think, and feel in relation to those problems.” (Schein, 1985)
- “…the set of important understandings (often unstated) that members of a community share in common.” (Sathe, 1985)
- “…the pattern of beliefs, values and learned ways of coping with experience that have developed during the course of an organization's history, and which tend to be manifested in its material arrangements and in the behaviours of its members.” (Brown, 1995)
These definitions all emphasise the internal nature of culture, using words such as mind, assumptions, understandings, beliefs, values. They also describe culture as something shared among a group of people.
The wide range of generic definitions of culture can be synthesised into a single working definition, as follows, which will be used as the basis for this paper:
- “Culture is the values, beliefs, knowledge and understanding, shared by a group of people with a common purpose”
Like the other definitions, this emphasises two important elements of culture:
- Culture exists at different levels in an organisation, based on the various groups such as a project team, a Project Board, a management team, a division, or the overall organisation.
- All aspects of culture are internal, invisible, tacit and hidden. As a result it is hard to measure culture, monitor its development, modify it proactively and manage it going forward.
We will return to the internal nature of culture, but it is important to recognise that more than one culture can exist within a single organisation. We have defined culture as “the values, beliefs, knowledge, and understanding, shared by a group of people with a common purpose”. Clearly an entire organisation is such a group, but it also usually comprises a number of subsidiary groups which each have their own identity and purpose (departments, functions, project teams etc.). As a result, it is possible for groups within an organisation to develop and display their own distinct culture, reflecting the individuals within the group as well as the specific challenges and constraints relating to the group's purpose and performance. It is possible that the culture existing within lower-level groups could differ significantly from the overall culture of the wider organisation, although there is likely to be a top-down influence. This means that developing an appropriate culture is not limited to the senior leadership of an organisation, but needs to be addressed and communicated at all levels, leading to an aligned and coherent culture across the entire organisation.
Introducing the A-B-C Model of Culture
The internal nature of culture introduces real problems if an organisation wishes to improve or change any aspect of its culture, including its risk culture (see below). To understand how this might be addressed, we first need to understand where culture comes from.
The basic principles can be explained using a simple A-B-C Model, based on the following definitions:
- Attitude is “the chosen position adopted by an individual or group in relation to a given situation, influenced by perception” (Hillson & Murray-Webster, 2007)
- Behaviour comprises external observable actions, including decisions, processes, communications etc.
- Culture is “the values, beliefs, knowledge and understanding, shared by a group of people with a common purpose”
The A-B-C Model is based on the following considerations:
- The Culture of a group arises from the repeated Behaviour of its members
- The Behaviour of the group and its constituent individuals is shaped by their underlying Attitudes
- Both Behaviour and Attitudes are influenced by the prevailing Culture of the group
These relationships are illustrated in Exhibit 1.
It is important to note that the only observable element in the A-B-C Model is Behaviour, since both Attitude and Culture are internal and invisible. As a result, we can only assess the nature of culture by observing the external behaviours that it produces.
One key feature of the A-B-C Model is the feedback loop back from Culture to both Attitude and Behaviour. This illustrates that culture is not static: culture is formed by behaviour, which in turn is shaped by attitude, but also culture influences current and future attitudes and behaviours. It is important to distinguish between culture and its inputs and outcomes, but the A-B-C Model suggests that attitudes and behaviours are both inputs to culture and they are also both outcomes from it.
This set of cyclic interdependencies between attitudes, behaviours and culture allows the development of self-reinforcing feedback loops. These can either create a vicious cycle, where poor attitudes lead to inappropriate behaviours and build a negative culture, which in turn reinforces bad attitudes and behaviour. Alternatively, the loop can act as a virtuous cycle, with good attitudes producing appropriate behaviours and a positive culture, which acts to strengthen right attitudes and encourage good behaviours.
Understanding risk culture
Applying the A-B-C Model to risk culture
The Institute of Risk Management (IRM) conducted a major thought-leadership study on risk culture in 2012 (Institute of Risk Management, 2012a, 2012b), to which this author was a major contributor. The IRM study used the A-B-C Model as a foundation for the development of more detailed models and frameworks, addressing the development of good organisational risk culture.
It is easy to produce a risk variant of the A-B-C Model (Exhibit 2) simply by replacing its generic definitions with risk-related versions, as follows:
- Risk attitude is “the chosen position adopted by an individual or group towards risk, influenced by risk perception”
- Risk behaviour comprises external observable risk-related actions, including risk-based decision-making, risk processes, risk communications etc.
- Risk culture is “the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose”.
The risk variant of the A-B-C Model helps to distinguish between these three distinct elements that are often confused when people discuss risk culture. Two misconceptions are common:
- Firstly risk attitudes are not the same as risk culture, so it is not correct to say that an organisation has a “risk-averse culture” or a “risk-seeking culture”, because terms like risk-averse and risk-seeking describe different attitudes (Hillson & Murray-Webster, 2007)
- Secondly, behaviour towards risk is not the same as risk culture, so it is inaccurate to talk about risk culture as “the way we do things around here in relation to risk” (Williams, Dobson, & Walters, 1994; Lundy & Cowling, 1996), because “doing things” describes behaviours.
As for generic organisational culture, the definition of risk culture indicates that it comprises a number of internal attributes (“…values, beliefs, knowledge and understanding…”) which are hard to see and measure. Also, like wider culture, risk culture exists at different levels within an organisation (“…group of people with a common purpose”), which need to be coherent and aligned. And as in the general case, negative and positive feedback loops can develop between risk attitudes, risk behaviour and risk culture, due to the cyclic nature of the A-B-C Model.
Why Risk Culture Matters
Developing and maintaining a strong and positive risk culture is important for several reasons, including its influence on compliance, organisational performance, and risk management effectiveness.
At the organisational level, understanding and expressing risk culture is a compliance requirement for corporate governance. For example, the international risk standard ISO31000:2009 (International Organization for Standardization, 2009) includes the following statements:
- “Management should ensure that the organization's culture and risk management policy are aligned.” (section 4.2)
- “[Continuous improvement decisions] should lead to improvements in the organization's management of risk and its risk management culture.” (section 4.6)
Risk culture is also a determinant of organisational success and failure. Two reports into corporate governance failings following the 2008 global financial crisis concluded the following:
- “The principal emphasis is in many areas on behaviour and culture…” (Walker, 2009)
- “The issues with which companies were grappling include understanding their exposure to risk and how this might change…[and] embedding the right risk culture throughout the company…” (Financial Reporting Council, 2011)
Risk Management Effectiveness
The most important way in which risk culture matters is that it has a critical effect on risk management effectiveness (Hillson, 2002d), as the IRM points out: “The prevailing risk culture within an organisation can make it significantly better or worse at managing risks” (Institute of Risk Management, 2012b). At both organisational level and lower levels (such as divisional or project level), risk culture affects risk management in the following ways:
- Risk culture affects risk appetite, including strategic and tactical decisions on how much risk to take in a range of situations and settings.
- Risk culture influences attitudes towards risk, shaping the way individuals and groups position themselves towards risk in situations that are perceived as risky and important.
- Risk culture informs the setting of objectives and strategies, as key decision-makers seek to determine the optimal course in an uncertain environment and context.
- Risk culture determines the ability to “take the right risks safely” because it influences the effectiveness of risk policies, procedures and practices.
- Risk culture can prevent the appearance of condoning wrong behaviours, which can arise when leaders send inconsistent messages on the level of acceptable risk.
Developing a Risk-Mature Risk Culture
In the risk profession there is some debate about whether risk culture should be defined deliberately and intentionally, or whether it emerges naturally within an organisation. In fact, risk culture can be set in both ways.
- Setting risk culture directly from the top requires a clear statement of intent from leaders in the organisation, laying out their vision and policy for risk management, describing their values and beliefs about risk, and explaining the approach that they intend to take in order to exploit risk and create benefits. The desired risk culture should be actively communicated to all staff, so no one is any doubt about how risk will be addressed within the organisation, and appropriate risk-related behaviour is actively promoted and encouraged.
- A second option is to allow risk culture to emerge naturally. This approach concentrates on putting all the practical elements in place within the organisation to allow risk to be managed properly, with good people, processes and infrastructure (Hillson 2002a, 2002b, 2002c). As people across the organisation put risk management into practice within their routine jobs, they will start to experience fewer problems and enhanced benefits. As they see risk management working for them, people will recognise the importance of managing risk. Their belief in the value of risk management will reinforce the correct behaviour. A positive cycle is created where acting properly towards risk creates a strong risk culture, and that in turn encourages the right risk-related behaviour.
Both top-down and bottom-up approaches to developing risk culture work, and an organisation could adopt either approach: deal with risk culture first, or allow risk culture to emerge. Both have strengths and weaknesses, and management should consider carefully which approach would work best within their own particular organisational context, or whether to adopt a blend of both in order to encourage the optimal risk culture.
But how will we know what an optimal risk culture looks like? The IRM report describes characteristics of the type of risk culture that would be displayed in a risk-mature organisation, with the following ten indicators (Institute of Risk Management, 2012a):
- Distinct and consistent tone from the top on risk-taking
- Commitment to ethical principles and practice
- Wide acceptance of importance of managing risk
- Transparent and timely risk information flow up and down
- Risk reporting and whistle-blowing is encouraged
- Active learning from impacted risks and near-misses
- Risk-taking behaviours rewarded or challenged
- Risk management skills are valued, encouraged and developed
- Properly resourced risk management function
- Regular challenging of status quo from diverse perspectives
Consistent with the implications of the A-B-C Model, these indicators are all external measurable behaviours which can be objectively assessed. Consequently, an organisation that wishes to improve its risk culture needs to use these behavioural indicators as cultural diagnostics, conducting a gap analysis with the following steps:
- Step 1: Assess current risk culture (Where are we now?)
- Step 2: Define desired risk culture (Where do we want to be?)
- Step 3: Understand the gap (What needs to change?)
- Step 4: Design and implement risk culture change programme
- Step 5 (repeats Step 1): Assess changes in risk culture
This type of cultural diagnostic analysis can be done at a high level in descriptive terms, but it is likely to be more effective if a more detailed approach is followed. The IRM offers a model of risk culture (Institute of Risk Management, 2012a, 2012b) that presents the various elements of risk culture in a structured way, facilitating the cultural diagnostic analysis. The IRM Risk Culture Aspects Model identifies eight aspects of risk culture, grouped into four themes, which are key indicators of the existing risk culture in an organisation or other group. These are summarised in Table 1.
|Tone at the top||Risk leadership, clarity of direction|
|How organisation responds to bad news|
|Governance||Clear accountability for managing risk|
|Transparency and timeliness of risk information|
|Decision-making||Well informed risk decisions|
|Reward appropriate risk-taking through performance management|
|Competency||Status, resourcing and empowerment of risk function|
|Embedding of risk skills across organisation|
This model can be used as the basis of a risk cultural diagnostic assessment, either by means of a simple self-assessment questionnaire (see Institute of Risk Management, 2012b, Appendix 6) or by using structured interview and audit techniques. This will expose specific areas of strength and weakness in the existing risk culture, allowing a targeted cultural improvement programme to be designed and implemented.
The idea that we can perform a risk culture diagnostic analysis then take action to change risk culture as required seems relatively straightforward, until one remembers that risk culture is internal and invisible, so it is hard to measure, monitor, modify and manage. Using observed risk behaviour as an external proxy for internal risk culture provides a way over the first part of this difficulty, namely how to measure and monitor risk culture. But the question remains of how we can modify and manage risk culture in a way that produces the right risk behaviours. We might try very hard to introduce and reinforce new or changed behaviours towards risk through mandate, process change, reward and sanction. But it is notoriously difficult to use such externally-imposed means to generate lasting behavioural change. Fortunately the A-B-C Model offers an answer.
Using risk attitude to develop risk culture
Referring to Exhibit 2, it is clear that risk behaviour is influenced by both risk attitude and risk culture. Consequently, we can take advantage of the ABC links. If we can manage and modify risk attitudes, then those changed risk attitudes will influence risk behaviour in the right direction, and hence build a new and more risk-mature risk culture.
There are a number of ways of thinking about risk which present alternative views of the uncertain world. These alternatives are illustrated by the pairs of options in Table 2.
|NEGATIVE PERSPECTIVE||POSITIVE PERSPECTIVE|
|Risk is avoidable||Risk is natural|
|Risk is bad||Risk is good|
|“High risk” means dangerous||“High risk” means exciting|
|Risk should be prevented||Risk should be exploited|
|Risk management protects value||Risk management enhances value|
|Risk should be managed by specialists||Risk should be managed by everyone|
|Discussing risk shows weakness||Discussing risk shows maturity|
These two sets of alternative ways of thinking about risk illustrate the potential for different risk attitudes to be held by individuals and groups within an organisation. It is not hard to see how these would lead to very different external risk behaviours in terms of risk-based decision-making, implementation of risk management processes, risk communications etc. But how can these underlying risk attitudes be changed?
Earlier work on risk attitude (Hillson & Murray-Webster, 2007; Murray-Webster & Hillson, 2008) has demonstrated that the risk attitude of individuals and groups is variable, and since it is a choice, it can be modified and managed proactively. The Six A’s Framework (Murray-Webster & Hillson, 2008) has been developed to support attitudinal change, as shown in Exhibit 3. This framework is based on standard theories of emotional intelligence, modified to include decision and feedback loops.
The Six A’s Framework provides a structured approach to help individuals and groups adopt an appropriate risk attitude in any given risky and important situation. The framework is described in detail elsewhere (Murray-Webster & Hillson, 2008), but it can be summarised as follows:
- First, there is a need for Awareness and Appreciation of the current risk attitude adopted by an individual or a group,
- Next comes Assessment, to determine whether the current risk attitude is likely to lead to an acceptable outcome or not.
- Where the assessment step indicates that intervention is required to modify the prevailing risk attitude, Assertion and Action are employed to make the necessary change.
- If on the other hand assessment shows that the existing risk attitude is appropriate, the current risk attitude can be Accepted.
- Whether the original risk attitude is accepted or modified, the ongoing situation must be monitored and reassessed periodically to determine whether intervention may be required at a later time.
Each of these steps involves a range of underlying actions, which are explained elsewhere (Murray-Webster & Hillson, 2008). But this simple framework allows an appropriate risk attitude to be chosen and modified where necessary in order to provide a control loop that can influence risk behaviour and ultimately build a changed risk culture. In this way we can use the Six A’s Framework to manage cultural change through the A-B-C Model.
We started by noting that the word “culture” is used to refer to aspects of civilisation as well as different types of growth. These two groups of meanings are not irrelevant when considering the challenges of building an appropriate risk culture within different levels of an organisation. In the context of civilisation (art, music, drama etc.), culture refers to various types of self-expression, whereas in growth terms the emphasis is on maturity and reproduction. Organisational culture is similar, both generically and in relation to risk. It raises and answers questions of self-expression (Who are we? What are we expressing?), as well as questions of maturity and reproduction (How will we reach maturity? What are we reproducing?).
The recent IRM study on risk culture (Institute of Risk Management, 2012a) offered ten diagnostic questions that can be used to determine the type of risk culture that exists in an organisation. These can be applied at any level in the organisation, for example at Board level, or within a division, or in a project context. The ten questions relate to specific aspects of self-expression, maturity, and reproduction, and are as follows:
- What tone do we set from the top? Are we providing consistent, coherent, sustained and visible leadership in terms of how we expect our people to behave and respond when dealing with risk?
- How do we establish and maintain sufficiently clear accountabilities for those managing risks and hold them to their accountabilities?
- What risks does our current corporate and project culture create for the organisation, and what risk culture is needed to ensure achievement of our corporate and project goals?
- Do we acknowledge and live our stated values when addressing and resolving risk dilemmas? Do we regularly discuss risk dilemmas in value terms and does it influence our decisions?
- How do our structure, processes and reward systems support or detract from development of our desired risk culture?
- How do we actively seek out information on risk events and near misses and ensure key lessons are learnt? Do we have sufficient organisational humility to look at ourselves from the perspective of stakeholders and not just assume we're getting it right?
- How do we respond to whistle-blowers and others raising genuine concerns?
- How do we reward and encourage appropriate risk-taking behaviours and challenge unbalanced risk behaviours (either overly risk-averse or risk-seeking)?
- How do we satisfy ourselves that new joiners will quickly absorb our desired cultural values and that established staff continue to demonstrate attitudes and behaviours consistent with our expectations?
- How do we support learning and development associated with raising awareness and competence in managing risk at all levels?
By asking and answering these questions honestly, an organisation can determine the maturity of its risk culture, and identify areas of weakness where the current risk culture needs to be challenged and changed. These can then be pursued by actively managing risk attitudes to change risk behaviour and build a new risk culture.
Culture matters. The A-B-C Model provides a simple way to understand the nature of culture as well as its drivers, by describing the links between Attitudes, Behaviour and Culture, and making clear the potential for the development of negative feedback loops (vicious cycles) as well as positive reinforcement (virtuous cycles).
The A-B-C Model applies equally to risk culture, whether for an organisation as a whole or for various groups within an organisation (department, function, project team etc.). Risk culture matters because it drives risk thinking and attitudes as well as risk-taking behaviour. An inappropriate or immature risk culture can cause problems by leading a group to take either too much risk or too little, so it is important to understand the current risk culture and take steps to change it if necessary.
Based on the A-B-C Model for risk culture presented in this paper, it is clear that we can change risk attitudes in an intentional and managed way, allowing us to develop more appropriate risk-taking behaviour, and so build a more risk-mature culture.
Brown, A. (1995). Organisational culture (2nd ed.). London, UK: Pitman Publishing.
Financial Reporting Council. (2011). Developments in corporate governance 2011: The impact and implementation of UK corporate governance and stewardship. London, UK: Financial Reporting Council.
Hillson, D. A. (2002a). Critical success factors for effective risk management: Part 1 – Success in risk management. Project Management Review (July/August 2002), 24–25.
Hillson, D. A. (2002b). Critical success factors for effective risk management: Part 2 – A simple risk process. Project Management Review (September 2002), page 17.
Hillson, D. A. (2002c). Critical success factors for effective risk management: Part 3 – The right level of support. Project Management Review (October 2002), page 17.
Hillson, D. A. (2002d). Critical success factors for effective risk management: Part 4 – Risk culture. Project Management Review (November 2002), page 23.
Hillson, D. A., & Murray-Webster, R. (2007). Understanding and managing risk attitude (2nd ed.). Aldershot, Surrey, UK: Gower.
Hofstede, G. (1980). Culture's consequences: International differences in work-related values. London, UK: Sage Publications.
Institute of Risk Management. (2012a). Risk culture under the microscope: Guidance for boards. London, UK: Institute of Risk Management.
Institute of Risk Management. (2012b). Risk culture: Resources for practitioners. London, UK: Institute of Risk Management.
International Organization for Standardization. (2009). ISO 31000:2009. Risk Management – Principles and Guidelines. Geneva, Switzerland: International Organization for Standardization.
Lundy, O., & Cowling, A. (1996). Strategic human resource management. London, UK: Routledge.
Murray-Webster, R., & Hillson, D. A. (2008). Managing group risk attitude. Aldershot, Surrey, UK: Gower.
Sathe, V. V. (1985). Culture and related corporate realities. Homewood, IL, USA: Irwin.
Schein, E. H. (1985). Organisational culture and leadership. San Francisco, CA, USA: Jossey Bass.
Walker, D. (2009). A review of corporate governance at UK banks and other financial industry entities: Final recommendations. London, UK: HM Treasury.
Williams, A., Dobson, P., & Walters, M. (1994). Changing culture: New organisational approaches (2nd ed.). Wiltshire, UK: Cromwell Press
© 2013, David Hillson/Risk Doctor & Partners Limited
Originally published as a part of 2013 PMI Global Congress Proceedings – New Orleans, Louisiana, USA