Dave Ulrich who has published a number of books about the human aspects of a successful business [e.g. Ulrich 2015], once suggested that investors and auditors need to monitor and assess the culture of the company to evaluate the quality of a potential investment, thus, the sustainability of a business.
Risk culture is a part of the corporate culture of an enterprise and as such it among other things captures how leaders of the company deal with the uncertainties of the business. It is about how they approach variance, thus, find ways to forecast and manage potential positive and negative deviations from the targets set.
Risk Management and Risk Culture
Frank Romeike identifies four elements of an effective risk management system being (1) risk culture, (2) methods, (3) process, and (4) organization [Romeike 2018].
Risk culture is an element of the risk management that – using the terminology of Karl Friedrich Ackermann – one could consider to be non-directed [Ackermann 1999], thus, not designed to deal with a specific risk or set of risks. Instinctively one would expect the risk culture to be anchored in the behavior of people in such a way that the risk management of a corporation develops intended effect.
The intended effect has to be pre-defined. This responsibility is in the hands of the company's leadership (i.e. top management, the boards) and it constitutes one of their most essential tasks of consolidating and determining the vision and strategy of the business and the principle approach to the manner and format of managing the accompanying opportunities and threats.
The appropriate approach may vary across an organization, with different parts of the business adopting an appetite that reflects their specific roles, with an overarching risk appetite framework to ensure consistency [Berger in Gleißner / Romeike 2015, p. 643-654].
It would be natural to assume that some companies will be rather risk averse and display the safety bias seeking to avoid risks at the expense of the potential business opportunities; others might tend to display an "opportunity bias". The latter corporations most probably strive to operate in accordance with the principles of agility.
The risk averse businesses rather rely on a limited number of well-tested dependable business solutions believing in the notion that "one size fits all" works well enough. As per Sydney Dekker suggests [Dekker 2014] those business cultures tend to stigmatize mistakes, therefore, they tend to create rigid organizational structures and cumbersome processes to control the operation with the focus at avoiding errors.
The enterprises with opportunity bias are likely to strive to work with a variety of products and / or models to test the interest of the markets and clients regularly (e.g. Google, IBM, Tesla/SpaceX etc.). They accept the side effects of this try & error approach being occasional negative outcomes. However, by doing so they capitalize on unleashing creative and innovative potentials of their workforce. The control is rather exercised through collaboration (i.e. working in teams) and procedural rules allowing quick and direct feedback.
The risk management is not an abstract concept but a way of doing business through people
As per Kobi, enterprise risks are usually rooted in people [Kobi 2012 p.19]:
Figure 01: Risks are rooted in people
Rolling out a new corporate and risk culture at a company entails a number of measures. In his work "Leading Change", John Kotter [Kotter 2012] describes the essential steps and elements of a successful change process.
To be able to anchor a new risk culture, failure management style and associated decision-taking processes seems critical. Following the recommendations of Sidney Dekker [Dekker 2014 and 2017] it especially requires a shift from the focus at eliminating mistakes and the commitment to avoid them - to dealing with what preserves the business success of a company, among other things, through learning from mistakes. The means of upgrading the risk or safety culture of a company would depend on where the maturity of it stand.
The next steps to follow have to be more specifically directed – through leadership training, specific actions and feedback formats – towards concrete ways of interaction between people in the organization that create the sense of shared responsibility, support autonomous working and increase motivation.
Leadership by trust is a prerequisite for autonomous and consequently more motivated working. At the same time, learning what trust in business means and how to offer it to team colleagues, other corporate functions and third party business partners (i.e. clients and vendors) is quite an effort.
Corporate Culture vs. Risk Culture
The underlying assumption is that the risk culture of a company correlates with the corporate culture in a very direct manner [see also Romeike / Hager 2013 p. 297]. It will, thus, be helpful to identify the elements of the corporate culture that support an effective risk culture and link them with the relevant aspects of the latter.
The literature on risk culture seems limited but following insights might help: Numerous works have been written about
- various definitions of culture,
- the role of corporate culture, and
- challenges of the cultural change as one of the most essential elements of the change management.
Definitions of Culture
The concept of organizational culture has developed relevance in the 1980s. It has rapidly attracted the attention of those entrepreneurs and scientists who were interested to understand how to deal with change management challenges in business. Some of them were focused on trying to measure the culture. Dan Denison [Denison et al. 2012] was among the first "measurers" who attempted to show that culture measures did relate to performance.
In the work Victory Through the Organization, Dave Ulrich and a group of co-authors express a similar view that an organizational form and processes are more decisive than the impact by an individual [Ulrich et al. 2017, p. 6].
There are many ways how culture is defined in the scientific literature. Kroeber and Kluckhohn [Kroeber / Kluckhohn 1952] have attempted to group different views at the phenomenon ‘culture': they had compiled more than 160 definitions of culture across sociology, anthropology, economics, and psychology with the following outcome:
- 4 % of the 164 authors under review define culture in terms of shared ways of thinking being collective ideas, ideals, values, etc.
- 37 % capture culture in terms of behavior comprising behavioral patterns, shared habits, collective problem solving, and activities to achieve outcomes, etc.
- 49 % of the cultural constructs reflect about culture in terms of how social groups share common ways of both thinking and behaving.
Dave Ulrich describes culture as something that is anchored in reality through human behavior and at the same time construed in the human perception and expressed through linguistic concepts [Ulrich et al. 2017, p. 71-72].
Dan Denison, among others, refers to various sources and sums it up as follows: "Culture is both the way we do things around here" [Peters and Waterman 1982] and "what we do when we think no one is looking".
Edgar Schein [Schein 2016] differentiates between three levels of culture:
- Underlying assumptions that are "unconscious, taken-for-granted beliefs, perceptions, thoughts, and feelings."
- Values that stem from the basic assumptions and constitute the "justifications of strategies, goals and philosophies)", and
- "artifacts" being the "visible, yet hard to decipher organizational structures and processes."
The well-known Iceberg Model depicts the above analysis.
Denison et al. list four established change approaches, some of them referring to cultural change as an essential element of the change process [Denison et al. 2012 p. 157]:
- Change management as the process and outcome of changing values,
- Dynamics of the change process as a main focus,
- Changing the business first and then institutionalizing the new way of working, and
- The mindset / underlying assumptions of the leaders as the decisive factor.
John Kotter [Kotter 2012] is very blunt when expressing the warning that the new practices introduced in a transformation effort will always be subject to regression if they are not compatible with the established culture.
His recipe for a successful change seems to be this: "In many transformation efforts, the core of the old culture is not incompatible with the new vision, although some specific norms will be. In that case, the challenge is to graft the new practices onto the old roots while killing off the inconsistent pieces." [Kotter 2012, p. 160 ff]
And it takes time – since changing the culture usually means changing people. Even when there is no personality incompatibility with a new vision, shared values are the product of many years of experience in a corporation and therefore years of a different kind of experience are needed to create any cultural change. This is the reason why cultural change has to take place at the end of a transformational process [Kotter 2012, p.164-165].
Dan Denison [Denison et al. 2012, p. 156] suggest to "attack" rituals, habits, and routines. They call habits "a frozen interpretation of the past that is used to plan the future". They differentiate between four groups of habits and routines that require different handling [Denison et al. 2012, p. 158]:
Figure 02: Four groups of habits and routines
The underlying recommendation is to rethink the connection between knowledge and action linked by habits / routines.
Elements of the Risk Culture
The elements of the risk culture can e.g. be identified in accordance with the definition by BaFin in MaRisk (Minimum Requirements for Risk Management, published by the Federal Financial Supervisory Authority, BaFin), AT 3 (its latest version). The elements of risk culture as per MaRisk ( are i.a. as follows:
- Risk awareness,
- Adequate behavior of employees,
- Decision making processes,
- Tone from the Top,
- Transparent and open dialogue, and
- Partnership like concept of leadership.
Frank Romeike [s. Romeike 2018 p. 216 ff. and also Romeike / Hager 2013, p. 300 ff] define the risk culture elements in a more focused way: (1) communication, (2) leadership & strategy, and (3) motivation.
All three elements are further defined / elaborated in form of specific examples:
Communication is meant to include various internal formats of information flow like intranet, employee news magazine etc.; exchanges of information across all functions / business units and hierarchical levels; presentation of the risk management as an essential value driver with its unpleasant truths and uncertainties.
Leadership and strategy are packaged to cover a clear communication of goals and values of the risk management, definition of processes and responsibilities and the commitment of the top management to lead by example (i.e. tone from the top).
Motivation embraces clear responsibilities, trainings, engagement with all employees e.g. in cross-functional teams (e.g. in form of a risk management committee), but also control of the processes and inclusion of risk management aspects in the goal setting of the employees.
Taking a closer look at what are the elements of the risk culture that do not form a part of the corporate culture, it becomes obvious that the additional elements of the risk culture comprise
- the attitude to risk management displayed by the top management,
- a structured dialogue about risks / uncertainties across the company, and
- "conditioning" the behavior of or incentivizing the staff and management members to deal with risks in a defined way; one important part of it is the way of dealing with human errors.
At the same time some specific, more general, cultural elements (like open / transparent dialogue, clear definition of goals, processes and responsibilities, leadership by trust to empower etc.) form a favorable basis for the risk culture to be effective. In other word, a corporate culture has to display certain qualities to carry a forward-looking dealing with risks and opportunities.
Thomas Berger [in Gleißner / Romeike 2015, p. 647] summarizes this as follows: "Risk culture is … a part of the corporate cultures or the concretization of the corporate culture for the risk management" [translated by MC].
Meik Führing [Führing 2004] uses the three level model by Edgar Schein [Schein 2016] to deduce the so-called resources-oriented risk management culture approach. He correlates risk management aspects in the narrow sense with those in the broader sense as follows:
Figure 03: Three level model
To be able to understand and design the risk management culture, it seems helpful to interpret the artefacts and to decipher the hidden underlying premises (see above chart) [see also Paul 2005].
Cameron / Quinn refer to the so-called Total Quality Management (i.e. TQM) and use their completing values framework to summarize a comprehensive set of TQM – or risk culture - values.
Those values are clustered by four major culture types being hierarchy, clan, adhocracy and market cultures. Their hypothesis is that many TQM attempts fail only if a partial approach is tried. Their experience seems to show that "when all of these [values] are integrated in a TQM project, the success rate increases significantly [Cameron / Quinn 2012, p.56-57].
Figure 04: The Competing Values of Total Quality Management
Rolling Out a Risk Culture Upgrade: Failure Management or No Blame Culture
What is the carrying foundation of the risk culture in an agile context?
If we follow the reflections of Sidney Dekker it is all about how an organization deals with failures and consequences of it.
The Hindsight Bias
If a mistake is made or an accident has occurred, one can take a look at the events in the hindsight and might develop an idea that the undesirable outcome was as such to be anticipated and preventable through a harder preceding effort. Sidney Dekker calls it a hindsight bias.
Shaming the person or persons who have seemingly not applied themselves to avoid the mistake or incident is a logical consequence of this thinking. The negative outcomes get stigmatized and an organization might therefore be tempted to try to condition the leaders / managers and the staff to increase the protections against those outcomes focusing on reducing the count of them.
Sidney Dekker seems very skeptical that this strategy is a promising way forward. In his works, he stresses that there is no scientific evidence that mistakes or incidents can be avoided 100%. In his eyes in the professional context with competing or even conflicting interests and scarcity of resources, the so-called mistakes are a natural by-product of working.
In other words, the focus can more usefully be set at learning from mistakes and incidents that have an increased potential to harm people etc. or the business of the company.
However, how to make the learning process meaningful, and who can learn in the first place?
Sidney Dekker believes that the learning process can only logically start with the person or persons that has or have contributed to the negative outcome in a specific situation due to their professional responsibilities. They are the ones who have invested themselves into considering solutions and taking decisions while pursuing specific intentions.
This is why it is important that they are able and feel safe and comfortable to come forward with their story of the events that led to the unfortunate outcome and their view at facts as they presented themselves to that persons or persons at the time the decisions had to be made. These accounts need to be listened to with the appreciation that the decision was most probably taken under time pressure and constrained resources. Also, the decision-takers have most probably anticipated and worked toward a more positive result than the actual outcome.
In other words, Sidney Dekker pleads in favor of the so-called forward-looking justice: Looking at situations from now towards the anticipated future effects, acknowledging that there is a discretionary space [Dekker 2017, p.131-132] for every professional to fill with actions that can take this professional to intended and less intended results:
"Systems cannot substitute the responsibility borne by individuals […]. But systems can do two things. 1. One is to be as clear as possible about where that discretionary space begins and ends. […] [and] 2. […] decide how it will motivate people to conscientiously carry out their responsibilities inside of that discretionary space. … There is evidence that empowering people to affect their work conditions, to involve them in the outlines and content of that discretionary space, most actively promotes their willingness to shoulder their responsibilities inside of it".
Complex Systems and Zero Mistakes
In his book "Normal Accidents" Charles Perrow [Perrow 1984] proposes that having accidents is a structural feature of the complex systems that we build and operate. In a complex system there will always be interactions and effects that we will not be able to foresee, understand and / or prevent.
Thus, zero mistakes goals seem unrealistic and Dekker on top confirms "… that a vision zero does not come out of safety research. … It is an ethical commitment to do no harm. …". [Dekker 2014, p. 173] As such, the intention is positive; the execution can however even cause harm.
Sidney Dekker suggests that instead of talking about individuals on one side and systems on the other side we shall rather take a look at individuals in systems [Dekker 2017, p. 131 ff] and at the question how to effectively help handle the discretionary space for personal accountability that is filled with ambiguity, uncertainty, and moral choices.
Thus, even if we were to assume that there will always be sufficient space for error, however hard we try not to allow it to happen, mistake will be made and incidents will happen. So how to deal with the potential for unintended outcomes? What good can be drawn from them?
Ethics, Quality of Relationships and Learning Organization
This is the context within which some thought should be spent on the concept of a learning organization. It is all about learning from everything around you, in the first instance, from the daily business and own and your colleagues' daily business experiences - and also from undesirable outcomes in it.
What makes us come out clear if things go sour and we are a part of it going in a less favorable direction? Do not we all fear the expression of displeasure by our family and friends and in the professional environment by our colleagues and superiors? How to break through this anxiety of embarrassment and consequences of monetary and even disciplinary nature?
This is where among other things ethics come into picture [see Romeike / Hager 2013, p. 296-297].
What is the right thing to do is indeed an ethical question. It is the build-in compass for a person that helps him or her to navigate through various life situations in a meaningful way. It is about values, about what individuals believe is right or wrong. Ethics is a branch of philosophy and it offers a systematic reflection about this type of questions. There is a number of different ethical approaches. [s. Dekker 2017, p. 138 ff]
So, what makes responses to incidents just or unjust? "Bad relationships are behind unjust responses to failure" seems to be the assumption. On the other side, "good relationships are about openness and honesty, but also about responsibility for each other and accountability to each other. ... Good relationships are about communication, about being clear about expectations and duties, and about learning from each other. … if you want to do something about just culture, that is where to start". [Dekker 2017, p. 144]
Sidney Dekker suggests that "we can create such accountability not by blaming people, but by getting people actively involved in the creation of a better system to work in" [Dekker 2017, p. 133].
"Forward-looking accountability" is the term that Virginia Sharpe, a philosopher and clinical ethicist, suggests to use to assign an ethical term to the desired approach [s. Sharpe 2003].
Culture of Trust and Just Culture
In other words, it takes trust or a culture of trust that can only thrive in the context of what Dekker calls "just culture".
A just culture means more specifically [Dekker 2017, p. 133]:
- Encouraging learning through blameless lessons learnt experiences,
- Focusing at understanding which factors have contributed to the negative event and how it can be avoided in the future,
- Giving space to individuals that have contributed to the negative outcome to give detailed account of their contributions to failures,
- Working hard to eliminate the hindsight bias, and
- Learning how work actually gets done from operational people and not from handbooks and managers.
Now understanding what a just culture might mean the question arises how to roll it out.
Risk / Safety Culture: Old and New Views
Building a risk or safety culture starts with understanding the view on risk and safety the organization would like to implement. Dekker contrasts the old view safety and the new view safety in the following table: [Dekker 2014 p. 163]
Old View Safety
New View Safety
People seen as a problem to control
People seen as a resource to harness
Focus on people’s attitudes and behavior
Focus on people’s working conditions
Safety defined as absence of negative events (incident/injury free)
Safety defined as presence of positive capacities to make things go right
Whoever is boss or safety manager, gets to say
Whoever is expert and knows the work, gets to say
Dominated by staff
Driven by line
Guided by rules and compliance
Guided by insight and context
Make it impossible for people to do the wrong thing
Give people space and possibility to do the right thing
Governed by process and bureaucracy
Adjusted by mutual coordination
Strives for predictability and standardization
Strives for diversity and innovation
Safety as accountability that is managed upward
Safety as a responsibility that is managed downward”
Table 01: Old View Safety and New View Safety
The actions that can be successfully implemented toward a New View safety culture depend on how safe the specific part of the organization (i.e. system) already is.
How Safe Is Your Business?
Dekker differentiates as follows [Dekker 2014, p. 179]:
- Unsafe systems (i.e. certain types of mountain climbing or surgery like transplant) -
- "The risk of failure… is inherent in the activity and is accepted, as it is the other side of trying to extract maximum performance"; such system ca be made safer though
- Maximum performance; and
- Individual competence.
- Safer systems (i.e. road traffic or certain types of healthcare) – can be made safer through
- Standardization; and
- Safe systems (i.e. food supply or charter airline flying) – are made safer through
- Just culture; and
- Incident reporting.
- Safety monitoring has to go beyond quality control (e.g. deeper event analysis), safety management should attract additional resources (i.e. by dedicated business unit), skills are needed beyond individual competent practice (i.e. teamwork); finally,
- Ultra-safe systems (i.e. international airlines, nuclear power), when incident reporting may no longer help predict potential for accidents – should be made safer through
- Understanding ‘normal work' (daily workarounds, frustrations etc.), and
- Resilience (what makes them continue functioning despite challenges).
The incident / accident rate is the highest in unsafe systems and logically the lowest in the ultra-safe systems when the remote risk will likely be something the business were not having on its radar, e.g. not measuring. In the ultra-safe systems "holes in layers of defense and formally reported incidents are no longer the herald of accidents or fatalities. Normal work is." [Dekker 2014, p. 185]
Dekker recommends aligning the investments into safety upgrade with the level of safety a particular activity has already achieved. He also shares a number of recommendations as to what to put in the places where there are no "holes":
- Monitoring of safety monitoring,
- Not taking past success as guarantee of future safety,
- Resisting distancing through differencing,
- Resisting fragmented problem solving,
- Knowing the gap between work-as-imagined and work- as-done,
- Keeping the discussion about risk alive even when everything looks safe,
- Having a function within the system with the authority, credibility and resources, and
- Maintaining the ability of bringing in different perspectives.
Reviewing the above reflections it becomes obvious that rolling out a New View safety and / or risk culture is naturally embedded in rolling out a corporate culture of
- Trust and cooperation,
- Autonomous working, and
- Diverse viewpoints (i.e. diversity), creativity / innovation, etc.
The elements of the risk culture addressed above can only be established as a consequence of rolling out a new corporate culture that in the environment of growing uncertainties is meant to be able to adapt to the environmental changes very quickly. Thus, agility provides already a very good basis of a successful risk or safety culture.
It seems fair to assume that rolling out a new risk culture is as challenging as rolling out a new corporate culture. In any case - and as already pointed out earlier -, the latter has to be updated concurrently with the risk culture being re-defined.
John Kotter [Kotter 2012] defines the structure for the process of successful change management that has been recognized and utilized by the leaders and organizations across the globe.
Following Kotter's realization that the change process does not start but ends with the cultural adjustment the action points preceding cultural change will concern first and foremost
- The definition of the new vision and strategy and its communication,
- Forming a leadership team that is capable of mobilizing necessary resources around the new direction and ideas how to do,
- Empowering the organization to become a part of it including buy-in, and
- Generating short term wins, consolidating those and at the same time producing further changes.
In his book Leading Change Kotter has specifically identified eight stages of the change process that as he believes should be followed in a particular way to provide for a successful change at the end. In as much as the individual stages appear to build a sequel, in the context of complex changes it is supposed to be rather repetitive cycles comprising the above step several times.
The outcome of this iterative process will be a set of new values fostering redefined norms and behaviors, which can and will only be strengthened by the experience of numerous wins / successes.
A risk culture that supports an agile way of corporate working needs to embrace a no blame approach to mistakes.
Sidney Dekker introduces the term ‘just culture' to describe the required culture, which in his definition is a culture of trust, learning and accountability. This type of culture seems particularly helpful when something goes wrong. Justice, as some of us might believe, can in fact be restorative (vs. retributive). Creating a restorative culture means, among other things, understanding why people may actually be breaking the rules, how to respond fairly when it happens, and how to minimize the negative impact and maximize learning.
It is important to embrace that holding people accountable does not mean punishing them. It seem much more effective to offer people an opportunity to tell their account or story, to feel and express remorse and by doing so to foster learning for themselves and also for others.
After all, creating justice for people in a corporation might be one of the hardest tasks to assume.
- Ackermann, Karl-Friedrich (Hrsg.) (1999), Risikomanagement im Personalbereich: Reaktionen auf die Anforderungen des KonTraG, 1. Auflage, Springer Fachmedien Wiesbaden.
- Cameron, Kim S. / Quinn, Robert E. (2011), Diagnosing and Changing Organizational Culture, Based on the Competing Values Framework, 3rd edition, Jossey-Bass San Fransisco.
- Denison, Daniel / Hooijberg, Robert / Lane, Nancy / Lief, Colleen (2012), Leading Culture Change in Global Organizations: Aligning Culture and Strategy, 1st edition, John Wiley & Sons, Inc., San Francisco, CA.
- Dekker, Sidney (2014), The Field Guide to Understanding ‘Human Error', 3rd edition, CRC Press Taylor & Francis Group, LLC, Boca Raton, FL - London - New York.
- Dekker, Sidney (2017), Just Culture: Restoring Trust and Accountability in Your Organization, 3rd edition, CRC Press Taylor & Francis Group, LLC, Boca Raton, FL - London - New York.
- Führing, Meik (2004), Risikomanagementkultur als Aufgabe und Herausforderung für ein ressourcenorientiertes Risikomanagement, Kommission Personalwesen, Herbstworkshop.
- Gleißner, Werner / Romeike, Frank (Hrsg.) (2015), Praxishandbuch Risikomanagement: Konzepte – Methoden – Umsetzung, eBook, Erich Schmidt Verlag Berlin.
- Kobi, Jean-Marcel (2012), Personalrisikomanagement: Strategien zur Steigerung des People Value, 3. Auflage, Gabler Wiesbaden.
- Kotter, John P. (2012), Leading Change, 1st edition, Harvard Business Review Press, Boston, Massachusetts.
- Kroeber, A. L. / Kluckhohn (1952), C, Culture: A Critical Review of Concepts and Definitions, Vintage Books, New York.
- Paul, Christopher (2005), Personalrisikomanagement: Bestandsaufnahme und Perspektive, Arbeitspapier 112, Hans-Böckler-Stiftung, Düsseldorf.
- Perrow, Charles (1984), Normal accidents: Living with high-risk technologies, Basic Books, New York.
- Peters, Thomas j., and Waterman, Robert H., Jr. (1982) Search of Excellence: Lessons from America's Best-Run Companies, Warner Books, New. York.
- Romeike, Frank (2018), Risikomanagement, Springer Gabler Wiesbaden.
- Romeike, Frank / Hager, Peter (2013), Erfolgsfaktor Risiko-Management 3.0, 1. Auflage, Springer Fachmedien Wiesbaden.
- Schein, Edgar H. (2016), Organizational culture and leadership, 5th edition, Jossey- Bass.
- Sharpe, Virginia A. (2003), Promoting patient safety: An ethical basis for policy deliberations, In: Hastings Center Report 2003; 33(5), p. 2- 19
- Ulrich, Dave (2015), The Leadership Capital Index: Realizing the Market Value of Leadership, 1st edition, Berrett-Koehler Publishers, Inc. Oakland, CA.
- Ulrich, Dave / Kryscynski, David / Ulrich Mike / Brockbank, Wayne (2017), Victory Through Organization: Why the War for Talent Is Failing Your Company and What You Can Do About It, 1st edition, McGraw - Hill New York.
Margarita Chalmer, Sr. Director Corporate Insurance Risk Management (CIRM) at Hapag-Lloyd AG.