0.3.1.1 Part I: Risk Culture Conceptual Underpinnings

This part highlights thinking from several different disciplines providing foundations upon which culture is built, defined and better understood. From this broad view of cultural issues, risk management in organisations and its successes and failings can be assessed.

Jennifer Howard-Grenville places risk culture within organisational culture in ‘Individual Agency and Collective Patterns of Action: Organisational Culture through the Lens of Organisational Theory’ (Chapter 1). She reviews two prominent perspectives, that of Edgar Schein, which is popularised in three layers of organisational culture, beginning with espoused values – exemplified by ‘tone from the top’, which is omnipresent in discussion of UK financial services – then artefacts and finally the underlying assumptions or beliefs of members; and that of Ann Swidler, who coined the idea of ‘culture as repertoire’, which aims to extract the meaning of culture from the day-to-day actions, skills and habits of an organisation’s people. While relating both individual agency and collective characteristics of an organisation to risk governance, the inherent resistance of culture to change is noted.

The prevailing idea of ‘risk management of nothing’ (Power, Reference Power2009), coined to describe the misguided focus of risk management on the audit function, is a backdrop for the conversation on ‘Risk Culture and Information Culture: Why an ‘Appetite for Knowledge’ Matters’ (Chapter 2). In this chapter, Michael Power highlights the relationship between risk information and risk management processes from an organisational perspective. This chapter posits that a focus on individual incentives and performance management has compromised a more nuanced understanding of group dynamics and has overlooked, amongst other things, that ‘risk information production and flow is a fundamental feature of ‘risk culture’ and is itself constituted by an appetite for risk knowledge’. Three testable propositions on the role of information in risk culture are presented; these roughly align to the standard risk management structure of three lines of defence (mentioned above) and link information processes to organisational values.

Having seen the relevance of information processes to risk culture in Chapter 2, Michelle Tuveson and Daniel Ralph take a social network view of an organisation in ‘A Network View of Tone at the Top and the Role of Opinion Leaders’ (Chapter 3). Social networks are complementary to formal hierarchies such as lines of reporting and governance structures and arguably are under-studied within organisations. This chapter examines the role of individual staff, whether senior managers or not, in transmitting organisational culture across the firm through their social networks. The importance of the charisma and connectivity of individuals is modelled with agent-based simulation of communications within an organisation. The broad finding is that social networks may be critical to support tone from the top and may be an important complement to formal reporting or supervisory processes regarding maintenance and evolution of risk culture.

The ultimate value of any initiative to an organisation is the promise for a better future, and developing risk culture is no exception. This is explored through the relationship between innovative initiatives in an organisation and its culture in ‘Rethinking Risk Management Cultures in Organisations: Insights from Innovation’ (Chapter 4), by Stelios Kavadias and Kostas Ladas. Innovation is the subject of diverse management and sociological scholarship. Product portfolio management for a firm addresses its new offerings, which may be either novel products or entry to a new market. A related theme is that of firms adopting a ‘strategic buckets’ approach, allocating one bucket for incremental projects and another for radical experiments. This ring-fences opportunities in terms of both resourcing and within bucket management. Another strand of research from project management proposes that project planning should anticipate the emergence of unforeseen risks and hence focus on the ability to respond flexibly. The authors combine this wisdom by, first, distinguishing between radical innovation, which induces strategic risks, versus incremental innovation, which typically induces operational risks; and, second, by proposing a framework for innovation in an experimentation cycle – a process for balancing risk against reward by jointly managing evolution (exploration) and optimisation (exploitation).

0.3.1.2 Part II: A View of Risk Culture Concepts in Firms and Society

Following the concepts presented in the previous part, this part addresses the organisation as an entity and the dynamics of how the individuals, collective groups of individuals and external supervisors exist and engage within it. The concept of individual agency is explored within the context of how information is created and exchanged and where responsibility might lie within an organisation with respect to its governance structures. We focus on an important historical development in the banking sector, both in structure and oversight, that served to underpin modern culture issues.

How does risk culture evolve across an entire sector over nearly two centuries? ‘The Changing Risk Culture of UK Banks’, by Anthony Hotson and Duncan Needham (Chapter 5), charts the fundamental transformation in the business and risk culture of UK banking from the 1833 Bank Charter Act, which liberalised joint-stock banking in London, to the early 1900s, dominated by ‘the Big Five’, and continuing with the relative stability of the banking system and bank culture till after the Second World War, with big shifts in the 1970s and 1980s, eventually leading up to the GFC of 2008–9. This analysis looks at liability management and asset management as separate sub-sectors of the financial services, which have become combined under the heading of maturity transformation, e.g. mortgages. Viewing it through this historical lens, the GFC is described as being less about ‘bad bankers’ than a consequence of the transformation of commercial banks from being providers of short-term liquidity and payments services into residential property lenders.

Responding to the post-GFC wave of regulatory involvement covering risk culture, ‘Regulating Agency Relationships and Risk Culture in Financial Institutions’ (Chapter 6), by Kern Alexander, argues that the traditional understanding of agency problems in the corporate governance literature cannot fully explain the risk management and operational failures of banks during the GFC. The chapter suggests that human agency theory as it applies to the collective efforts of individuals within an organisation can provide a fuller understanding of how a weak risk culture can develop within banking and financial institutions. The chapter reviews international regulatory developments in the area of risk culture and the main legal and regulatory instruments adopted following the crisis to enhance risk culture within financial institutions, including the UK Senior Managers and Conduct Regime and how it attempts to address collective agency problems. The chapter concludes that the complexities of regulating the collective activities of many individuals regarding cultural standards and norms within large organisations can be more effectively achieved through a balance between official sector regulation and self-regulatory initiatives that build on existing institutional knowledge in the financial sector.

‘What Does Risk Culture Mean to a Corporation? Evidence for Business Value’ (Chapter 7), by Andrew Freeman, offers a two-part discussion. The first looks at the emergence of risk culture as a focal regulatory theme in financial services starting from 2008. This describes risk culture as a ‘technocratic’ child of financial regulation rather than an element of broader sociological developments in management that relate to cultural studies and its impact on risk management and the writing of management gurus. This first part also includes a de facto case study of the period 2008–12, following the GFC, by identifying the ideas, institutions and key people in the emergence of risk culture as a pillar of risk management in financial services. A subliminal reading is that the importance of risk culture, and later conduct risk, may be partially explained by the need for financial services, regulators and firms to show to society and business at large that some action was being taken by in response to the crisis. Second, this chapter takes a sceptical view of the link between risk culture and performance of firms. In that vein, Freeman predicts that ‘much further study in the area of risk culture and performance is likely to remain categorically confused’ because the complexity of organisations, and in the environment generally, makes it hard to distinguish cause (here, the effort to improve risk culture) from effect (improving business value).

There is little distance between considerations of organisational culture and ethics, whether the latter concern individual behaviours or firm-level values and outcomes. In ‘Values at Risk: Perspectives on the Ethical Turn in Risk Management’ (Chapter 8), Anette Mikes places culture, as measured through an organisation’s commitments, core values and priorities, within the context of ethics by asking whether those commitments and values are regularly compromised in practice. In two compelling case studies, Mikes explores how organisations constructively measure the gap between values espoused by their leaders and the concerns and activities of wider staff. The overarching proposal is the idea of ‘values at risk’ (VsR), together with identifying the demand, indeed need, for an ethical turn in risk management. Three areas of concern are used to highlight the potential for VsR to generate constructive debate and action: the incubation of man-made disasters, corporate failures due to conflicts of interest and large societal risks such as climate change.

These chapters broadly shed light on the thesis that risk is not solely due to chance and individual behaviours but that organisations play a vital role as both manufacturers and managers of risk. Additionally, many adjacent themes are worth exploring to further support the ideas presented. Further research is certainly warranted to verify and validate our thesis.

0.4.1.1 Psychology of Individuals and Risk Culture

The need to better understand how and why organisations work in business has put focus on the fields of psychology and behavioural sciences. We start by noting several important areas of research on individual motivations and decision-making. Behavioural psychology (which addresses innate or unconsciously driven individual behaviour) and personality traits (psychometrics) are both well studied in psychology and partially adapted into corporate life via recruitment and staff development practices. Models for behaviour such as those based on Ajzen’s (Reference Ajzen1991) theory of planned behaviour provide frameworks that tie beliefs and intentions to contingent behaviours. Neuropsychology studies the link between brain physiology and activity to a variety of behaviours and perceptions (including fairness, mentioned below). A little explored but fast-growing area is the relevance of human physiology, e.g. hormone levels, to decision-making (Coates, Reference Coates2013). Nevertheless, there is a wealth of work on how individuals connect to what might be called organisational attributes, including organisational processes, and on team performance – though we bypass the latter.

We highlight three organisational themes: safety culture, psychological safety and fairness. Safety culture and safety climate are familiar terms in industries with high levels of physical risk, where evidence points to the effectiveness if not necessity of management attention, including training and monitoring, in organisational health and safety outcomes. Psychological safety, which addresses the level of risk perceived by an individual in interacting with others, has proven to be a link between managing risk culture in physically risky environments and how risk is recognised and managed in organisations generally. This topic is connected with oft-touted organisational values such as courage and integrity, feeding into considerations of risk culture, or, more subtly, creativity. Fairness in an organisation, as well as an aspect of individual perception, is linked to organisational actions and processes in the study of procedural justice. Both procedural justice and psychological safety have been studied in the context of stress and mental health in the workplace; arguably, procedural justice provides cultural artefacts in the organisation that influence psychological safety and risk culture.

0.4.1.2 Cultural Cognition and Professional Judgement

Cultural cognition describes the tendency of individuals to conform their beliefs about disputed matters of fact (e.g. whether humans are causing global warming, whether immigration is to blame for unemployment) to values that define their cultural identities. Its relevance to how people interpret, absorb or reject information is the focus of the Cultural Cognition Project (Yale Law School, n.d.), which has made substantive studies of how professional training or professional identity, indeed professional culture, interacts with cultural cognition (Kahan et al., Reference Kahan2016: 394). The role of cultural cognition in organisational (risk) culture is little studied, however.

0.4.1.3 The Sociology of Risk

This topic addresses the tacit and explicit recognition of risk, and the attribution of responsibility for managing it, within society. ‘Risk society’ is a prominent idea (Beck, Reference Beck1992) that describes unintended and endemic consequences of transformation of society from industrial to modern, exemplified by climate change and also by the 9/11 terrorist attacks. Rather than advances in technology and society solving the problem of future uncertainty, the proposal is that these advances feed the complexity of ‘modernity’ that creates unknown unknowns. This framing of emerging risk as both material and ever-present has filtered into organisational and strategic thinking, suggesting that organisational risk culture reflects societal culture as it does internal culture and values.

0.4.1.4 Rogue Behaviours

Can risk culture thwart rogue behaviours by individuals? Risk culture is often cited as an explanation for actions and decisions by individuals. Recent years have brought many instances of ethical misbehaviour within corporations to the spotlight, such as insider trading, fraud and bribery, and served to make this association indelible. While these cases present outright criminality, speculations have been offered that culture may serve to thwart criminal tendencies or help in rehabilitating errant individuals. Putting aside causality, culture can serve to amplify or dampen an individual’s actions. What may originate as an individual exercising independence to complete a job within scope could also result in escalating behaviours involving harassment, bullying and other predatory actions. A concern is that less desirable, unethical or even criminal behaviours can grow to become mainstream and endemic with an organisation. Indeed, a management conundrum is that growth of rules to guide behaviours in a complex working environment can promote rule-bending behaviour (Weinberg & Taylor, Reference Weinberg and Taylor2014). Another dimension of the gradual escalation of poor behaviour is the rogue individual who is rogue by nature or nurture and brings associated behaviours into a company. This situation, like an infectious virus, uses the immune system of the company’s risk culture – risk culture as immunotherapy – to either kill off the virus or spread this behaviour. The literature suggests that contagion of one bad apple may not be to the whole barrel, however, but to the ‘in-group’ of staff who identify with the miscreant (Gino, Aval & Ariely, Reference Gino, Aval and Ariely2009).

0.4.2.1 Organisational Subcultures

Perhaps the most obvious question is to ask what risk culture means in each division, or even team, of an organisation. The past and present – relating to staff, clients and business environments – may drive different manifestations of organisational culture, hence risk culture. For a division or business line, the question or risk culture addresses vertical structure and workflow, hence the transmission of risk culture from the top down, as well as the sensing and prioritisation of risk from the bottom up. Considerations of horizontal structure are natural when looking at corporate risk functions, e.g. in the financial services via the first, second and third lines of defence, which correspond roughly to risk management integral to business activities, risk oversight of business activities and independent assurance, also known as audit and compliance. On one hand, risk culture in the second and third lines of defence cuts horizontally across team and divisional boundaries. On the other, does risk culture in the first and second lines indeed exist independently of business activities, or, instead, is it inseparable from the way business is managed?

0.4.2.2 Geographical Impact on Culture

Globalisation has driven unprecedented growth in international trade but has also been credited to fuelling populist movements around the world. Greater interconnectivity exists throughout the world economies to support global markets via tactical components such as global value chains and broader socio-economic support networks. The impact of locale on risk culture of an organisation is highlighted in international management, e.g. country risk factors are relevant to both business prospects and the exposure of the organisation to bribery and corruption (Ministry of Justice, 2010). While tailoring global corporate practice to different locations increases the burden of management and oversight, bringing local knowledge and customs into that corporation may have resilience impacts on the wider organisation (Bunderson & Sutcliffe, Reference Bunderson and Sutcliffe2002).

0.4.2.3 Overlapping Subcultures

A member of an organisation is a participant in several subcultures, including one for their professional identity within the organisation, perhaps as an engineer or executive (Schein, Reference Schein1996), and another for their organisational silo, perhaps in a product division or a centralised function like human resources. Personal or political subcultures separate from the organisation may also be relevant. This raises questions about how individuals, and organisations, understand and react to multiple subcultures, particularly when they clash. Subculture scholars challenge organisational culture as a unitary entity.

0.4.2.4 Gender and Cultural Diversity

What are the implications to risk culture from increasing gender and cultural diversity within an organisation? The value of heterogeneity in improving resilience in many other regimes such as biological and ecological systems, species population and plant robustness has been well established and can serve as a reference point. Public knowledge of inequities associated with gender and diversity have highlighted the dark side of power structures in companies and the immutability of certain organisational and societal cultures. Gender and diversity risk encompass pay equality, creating a harassment-free workplace, safeguarding vulnerable employees and beneficiaries, fair hiring and gender balance. The business case for greater diversity has been made in the form of improved company governance – better practices in managing broader stakeholders by taking greater care in sustainable environmental practices, enhanced corporate social responsibility, organisational culture, recruitment and retention of talent (Page, Reference Page2007). Examples include the positive correlation between diversity at the executive level and profitability and value creation, and that companies in the top quartile for gender diversity are 27 per cent more likely to outperform their national industry average in terms of economic profit (Hunt, Prince, Dixon-Fyle & Yee, Reference Hunt, Prince, Dixon-Fyle and Yee2018).

0.4.3.1 Drivers of Cultural Change

An understanding of evolving risk culture would be informed by a taxonomy of the drivers of change, internal or external. Potential influences on culture include (changes in) management of personnel (from recruitment and training through to incentives and promotions), leadership, governance and structure, regulation, market forces, consumer preferences and the broader economic and social setting.

Wider global forces like climate change and the fourth industrial revolution will bring macro-shifts and consequently challenge risk culture in organisations.

0.4.3.2 Complexity and Feedback in Organisations

Complexity is the subject of study and management insight across a variety of fields and scales (Helbing, Reference Helbing2008). With roots in control engineering models that incorporate feedback loops, this concept addresses the dynamics of change within organisations and other systems, explicitly accounting for multiple processes, formal and informal, at potentially different scales, each apparently following its own momentum while influencing and being influenced by other processes. Executive anecdotes aplenty inform this view, e.g. incentive schemes that inspire short-term mis-selling of products, leading to midterm legal and regulatory retribution and, in the longer term, reputational issues that harm commercial performance and also staff morale.

0.4.3.3 Measurement and Management of Risk Culture

To what extent is risk culture manageable, e.g. subject to controlled change that is effectively measurable? Hence, what is the benefit of such management? We note that Freeman, in Chapter 7, takes a sceptical view about how firm performance relates to risk culture, while Mikes, in Chapter 8, is more positive in showing how an organisation’s values can be measured and linked to its risk culture.