We need to be sensitive to organisational culture say Andrew Hill and Alex Hindson

In our engagements with clients we are often asked to conduct strategic reviews of risk functions. Regardless of the industry sector or the remit of these functions, certain themes reappear. They bring into question the fundamental purpose of risk management within organisations as diverse as financial institutions, small manufacturers and large multinational corporations.

Our 20 years of experience show that unsuccessful risk management interventions (where they are the source of substantial conflict, or fail to add significant value to their organisations) are often the result of a failure to keep up with organisational change. The function is perceived to be semi-detached from the core of the business. In seeking the reasons for this, and hence to identify potential solutions, two root causes frequently emerge:

(1) Clarity of role and process: Has the function secured a clear definition of its remit within the organisation as a whole, and does it understand which key business processes it has ownership of?

(2) Cultural alignment: In the excitement over new technologies, organisational structures and products, culture is quite simply forgotten. However, it is clear that risk management needs to understand the prevalent culture within any organisation and adapt its approach correspondingly.

We would argue that successful and respected risk functions and risk managers have understood and acted upon these aspects, often in an instinctive manner. These aspects help to define how a risk function would operate within its organisation.

Defining the business processes within a risk function

Many risk functions have evolved over time from an original insurance, audit or safety core competency. Invariably this evolution means that there is no clearly defined statement of what the function is trying to achieve, either in the form of a strategy or a mission statement. Without this unequivocal statement of what the function is there to achieve, it can be difficult to determine how successful it is in driving forward an overall strategic objective. Our overall model is illustrated in Fig 1.

The exact business processes in place within a function depend on its remit, but given that most risk management functions cover some or all of enterprise risk management, insurance and risk financing, claims management and loss prevention, we can outline the key business processes:

• Strategy development and policy setting

• Risk assessment and reporting

• Risk financing programme design and implementation

• Claims management and incident investigation

• Management of service providers and outsourced services

• Management information (MI) creation and reporting

• Change and improvement programme management

• Internal client relationship management

• Stakeholder engagement and communication.

These business processes define the nature of the tasks that require completion, as well as the key skills required within the function. Our conclusion is that risk management functions are strongest in delivering the first six technical processes, but are often weakest in terms of having the skills required to deliver the last three.

Risk management is increasingly viewed as a process capable of affecting organisational change, and capable of driving significant improvement in organisational performance through behavioural change. This, however, implies that risk managers see themselves as managers of change and coordinators of improvement programmes on behalf of the organisation as a whole.

Communication, stakeholder engagement and relationship management are key skills found within internal functions that have traditionally seen themselves are providing a service to internal clients. Customer-aligned functions, such as procurement, IT or human resources, often have a clear definition of customer expectations and have processes in place to ensure that they deliver value to their internal clients.

By contrast, many risk management functions retain a strong technical competency, supplemented by strong administrative processes. Relationship management happens in marginal time, around these delivery processes. Not having clearly defined their key business processes, it may simply be that these risk functions have not been able to deploy the appropriate skills and resources to interface with their internal clients.

Identifying a strategy to increase influence

The second leg of the model within Fig 1 seeks to identify key competencies required by a risk function to work within the prevalent culture of the organisation. Culture can, however, be seen as a nebulous concept: 'the way we do things around here'. This is where the adoption of techniques developed by organisation psychology can be useful in understanding how organisations operate as social systems.

We have developed a simple cultural model for identifying an organisation's predominant business strategy and culture type. This defines four prevalent styles: P – Performance, A – Administration, D – Development and I – Intimacy. This analysis is supported by organisation development research and is outlined in Fig 2.

This approach can be used to diagnose which strategies for risk management are likely to be more successful in certain types of business environments. An inappropriate style of engagement with an organisation is, in part, the cause of dissatisfaction building up over the function's inability to interface with the rest of the organisation.

For example, suppose a fast moving merchant bank has a predominant style of 'P – Performance', with emphasis on delivering in a responsive manner to meet customer needs with a minimum of process or bureaucracy. If the risk management function adopts a strong 'A – Administrative' style, with emphasis on process and reproducibility, there will be a strong potential for cultural incompatibility.

Similarly, within a research-driven organisation such as a biotechnology development organisation, where the predominant style is likely to be 'D-Development', there will be a desire for best practice and novel solutions. Again, if risk management adopts an 'A – Administrative' style with a process focus, management within the organisation is likely to react against such a structured approach.

Fig 3 outlines possible strategies for successfully addressing risk management implementation. These map approaches to the different cultural types and reflect:

• autonomy

• control

• performance rewards

• identity

• communication

• conflict tolerance

• change tolerance

• external coping

• internal organising

• management support

In driving forward risk management within an organisation, there needs to be an appropriately tailored approach that clearly links the organisation's shared values to the skills, behaviours and approaches required for successful implementation. PADI leadership behaviours are outlined in Fig 4.


Clearly, most off-the-shelf risk management interventions provide you with a solution that is not sensitive to your operating environment – your business lifecycle and your regional cultures. What is required instead is the ability to provide tailored and local solutions. These solutions improve safety, diminish liability and deliver the significant accident reduction you seek. The aim is to provide real behavioural change by providing:

• Control developing a consistent set of management procedures tailored to the individual cultural requirements of each operating unit.

• Cooperation deploying specialist human resources consulting staff to design an appropriate reward system to help drive employee cooperation

• Communication facilitating the development and embedding of a culture of communication, using recognised best practice

• Competence the development of a bespoke training process, addressing individual requirements.

In the case of our own company, this approach has provided us with a track record of consistently reducing accident rates across cultures and industries. In one example it was possible to increase the safety performance of an organisation by 64% and save seven figure sums.

What does your organisation need?

• Cultural audit Seek to identify the factors that affect risk management in your organisation. This can be through benchmarking your work practices, understanding your market pressures and regional cultures, and establishing an improvement plan.

• Overcoming resistance to change Listen to your employees, understand their fears and provide your leadership team with clear feedback. The key is to focus on improving awareness, capability and willingness. In short, addressing the personal control people feel they have regarding change, the clarity with which roles and goals are understood and the support required from your leaders.

Next steps

As outlined in Clearing the Hurdles, (StrategicRISK Nov. 2006 )we would ask whether or not you have:

1 Clearly defined objectives for the risk management function and a route map of how to achieve them?

2 A stakeholder and internal client engagement plan?

3 A coherent communication strategy, aligned to the culture, capable of explaining to the organisation the purpose of risk management?

4 Clarity of roles and responsibilities for managing risk, including a definition of the remit of the risk management function itself?

5 A risk management infrastructure with resources, tools and processes for delivering these objectives?

Alex Hindson is associate director of enterprise risk management at Aon Global Risk Consulting, Tel: 01932 837 403, E-mail: alex.hindson@irmg.aon.co.uk. Andrew Hill is principal consultant at Aon Consulting, the human resource solutions consulting practice within Aon Limited., Tel: 01491 571182, E-mail: andrew.hill@aon.co.uk