What’s organisational culture got to do with risk management?
Corporates have focused on attitudes, behaviours and risk for some time, trying to find remedies for corporate failures. The same issues apply to charities and social enterprises. One hopes a commitment to values would lead to a healthy culture, but don’t assume.
Many people talk about having an “open” culture. By this, they presumably mean people are able to speak up, share ideas and say if they think that something wrong is being done. The opposite would generally be seen as a blame culture. What is not necessarily obvious is the impact culture has on the effectiveness of controls to manage risks.
The link between culture and risk
In a blame culture, people might rigidly follow procedures for fear of criticism. People are less likely to take the initiative if they fear being humiliated if something goes wrong. You are likely to have an organisation that is cautious, lacks the appetite for innovation and thinks that doing things by the book is virtuous. Decisions and even actions are likely to drift up the hierarchy because people are reluctant to take responsibility. This is a risk-averse culture where it will be hard to get changes through. Interestingly, the journalist Matthew Syed, in Black Box Thinking, quotes evidence that such organisations get more errors, but they go unreported: just following procedures does not necessarily mean an organisation is well-controlled and compliant.
How effective are conventional internal financial controls in an organisation with a blame culture?
Let’s consider a key control such as authorisation of payments. A system of delegated authority is usual and helps to clarify responsibilities.
However, a recent spate of frauds served to highlight a potential problem in organisations where the actions or words of a senior manager cannot be questioned.
The fraud used this characteristic of some organisations: a fake email purporting to be from the chief executive to the finance team instructed them to pay funds to a bank account. Would your finance team question the instruction, or would the culture inhibit them?
Another typical control for most organisations is the comparison between actual and budget in management accounts. This should highlight potential problems and areas where management action might be needed. But in organisations that do not readily hear bad news, you will find managers covering up their errors in budgeting or actual overspends or underspends. Rather than management accounts being a source of information and feedback, they are used as a defensive tool.
Contrast this with a trusting culture where management information is a source of learning and a middle manager can go to a senior manager and suggest a change in tactics in order to improve outcomes. It’s not just a matter of being a nice place to work – an open culture also strengthens the control environment.