The Turnball Report concluded that a company's risk management strategy should be part of the company's culture. But how do you define culture and how does it really affect corporate risk management? Dr Alan Waring reports....
The Turnbull guide for directors on the Stock Exchange Combined Code on Corporate Governance is now the basic reference framework for corporate risk management. According to Turnbull, the sound system of internal controls that the code requires should be embedded in the operations of a company and form part of its culture. One of the guide's key tests on control environment and control activities is: "Do the company's culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control system?"
Sounds reasonable but what exactly does the term culture mean and how easy is it to engineer? Unfortunately, Turnbull offers no further comment or guidance.
We all have our own concept of culture in the context of organisations. To a great extent, culture has become a managerial label for a rag-bag of ill-defined and often poorly understood ideas about how "we do things around here". The "we" of course is generally expressed by senior managers on the assumption that "we" means everyone in the organisation.
However, while there are usually a lot of commonly shared beliefs and attitudes within an organisation, it is also true that most organisations are made up of a number of different groups. For example, because of the different professional backgrounds and focus, engineering departments, accounts, marketing and insurance each have their own way of doing things and ideas about what risk means and how to assess and control it. In other words, sub-cultures in organisations markedly affect risk and its management.
One of the challenges of the post-Turnbull era is how to break down professional differences and harmonise risk management across different functions. Another is how to alter rigid thinking in large organisations where employees have become afraid of making decisions in case they get it wrong.
The culture of responsible risk-taking that epitomises high-reputation, high-value organisations and brands is by no means universal. Too many large companies suffer from the dead hand of the apparatchik culture. Like those party members who suffocated the former Soviet Union and who wormed their way in to every bureaucratic nook and cranny, apparatchiks are mediocre time-servers whose only claim to fame is political manoeuvring, back-stabbing and crawling and a skillful avoidance of taking risks that would be in the best interests of the organisation. Such people represent human resource (HR) risks in the raw but rarely receive any serious attention in corporate governance programmes, internal controls and compliance audits. And let's not forget that insurance companies and brokers are not immune to this risk.
Failures laid bare
In 1997, Dr Ian Glendon and I carried out an independent study of the collapse of Barings Bank (summarised in our book Managing Risk, see awa.demon.co.uk) and were surprised to discover that none of the official inquiry reports mentioned the HR dimension. There is abundant evidence that failures in HR management not only enabled, but actually encouraged Nick Leeson in his deviant activities.
We developed a generic framework for analysing HR risks that had 21 dimensions under four major variables: unfavourable contexts, inadequate HR management systems, inadequate primary task systems and human failings. In the Barings case, all 21 dimensions were against them.
One dimension of unfavourable contexts is organisational culture – be it one of laissez-faire, macho or keeping face. The overall culture within Barings was one of laissez-faire and warnings from external auditors went unheeded. However, two conflicting sub-cultures were evident. The London-based Baring Brothers were conservative bankers with a traditional long-term approach and controls. Meanwhile, Barings Securities were brokers with a short-term focus and a cavalier approach to controls.
Tensions grew as energetic young brokers and salesmen, fixated on commissions and bonuses, were set against experienced bankers. In 1994, bonuses amounted to £84m whereas the declared pre-tax profits were £83m and were three or four times the normal bonus level for this kind of banking. Bonuses had become the over-riding measure of personal performance with greed being the primary motivator.
In such a climate, it is perhaps unsurprising that standard HR good practice relating to selection and de-selection, competencies, training, promotion, responsibility, supervision, autho-rity and reward structure was absent. The gifted amateur culture went right to the top.
A culture of responsible risk-taking is one in which controlled gambles are taken to enhance the business and to avoid detriment as far as possible. However, it also means not taking gambles, even controlled ones, in pure risk areas such as health, safety and environment.
On the wrong track
After a succession of major accidents, the UK railway industry is one example where it has become increasingly apparent that gambles with the content and timetabling of safety engineering programmes are not acceptable.
A robust safety culture from top to bottom is a necessary part of a culture of responsible risk taking. This cannot be achieved simply by having safety policies and safety management systems and the railway industry is a good example of industry that is overflowing with safety procedures and documentation.
Unfortunately, many people assume that creating the "right" culture is a relatively straightforward matter of issuing policies, devising strategies and implementing management systems, all backed up by briefings and training to make sure they stick. Such practical requirements are necessary but they are unlikely to result in a rapid change in people's values, which are at the core of any culture. There is general agreement that a true culture change in an organisation is likely to take five to ten years to fulfil. This requires sustained commitment, leadership and realistic approaches to change.
Culture is all about the hearts and minds of people. Since many hazards and threats that affect organisations result from the thoughts, decisions, activities and behaviours of people inside them, an adequate risk management strategy must pay more attention to HR risks.
Almost every major disaster report in the last decade has made reference to the need for a robust safety culture in the particular organisation, if not entire industry. Yet, clearly this has been difficult to deliver and it is evident that the broader risk management culture is unlikely to fare much better.
If there is a fluffy understanding of such an important, even critical, topic as risk management culture, it is likely that the Turnbull expectations that relate to it will be achieved poorly in companies.