“Banks are undergoing a shift away from that data grunt management focus to training people up with the intelligence and knowledge to unpack what is really happening. It’s about proactive intervention and identifying risks before a breach occurs, rather than just implementing technologies and hoping for the best.” Lisa Dewhurst, Head of Group Regulatory Compliance, Bendigo & Adelaide Bank
‘Poor culture can undermine … trust and confidence. By contrast, good culture, which is more conducive to good conduct, helps maintain trust and confidence.’ John Price, ASIC Commissioner
‘Many discussions of the crisis have explored how firms’ varying risk cultures have strongly affected their response to the building up of risk before the onset of market turmoil, or to the strains of coping with the crisis, or both’. (IIF, 2009)
‘It’s important to have a continuous focus on culture, rather than wait for a crisis. Poor behaviour can be exacerbated when companies come under pressure.’ Sir Winfried Bischoff, Chairman, UK Financial Reporting Council
Risk Culture needs to operate in a way that incorporates cognitive, organizational, environmental, contextual and technological demands in an interdisciplinary manner.
There are three general classes of cognitive factors that govern how people form intentions to act in response to a situation of risk or a decision in that regard.
1. Knowledge factors: -factors related to the historic experiences and knowledge that can be drawn on when solving problems in context. Use what you know.
2. Attentional dynamics: -factors that govern the control of attention and the management of mental workload as situations evolve and change over time. Take the time to think.
3. Strategic factors: -the trade-offs between goals that conflict, especially when the practitioners must act under uncertainty, risk, and the pressure of limited resources (e.g., time pressure; opportunity costs). What are the possible outcomes and the consequences of those outcomes?
Risk-awareness, at the level of the individual worker, is essentially giving workers a “licence to think”. (1) In the first instance, this requires leaders to acknowledge that there may be a gap between “work as imagined” by the leaders and the “work as actually performed” by the workers. (2)
When a group of employees in an organisation were asked to talk through a practical example of how they think about risk, and their responses were classified according to Endsley’s model of situation awareness, it was found that their responses were incomplete at all levels (perception, comprehension and projection) but most notably at the third level of the hierarchy, that is their ability to project the future status of what they had perceived and comprehended.
There is thus no guarantee that any paperwork/ attestations enables the employees to foresee all the risks on a job. Teaching all employees risk management skills and building an effective risk culture is the only way to have sound risk management at all levels and achieve sustainable competitive advantage for the organisation.
(1). Westrum, R. (1992). Cultures with requisite imagination. In J. A. Wise, V. D. Hopkin & P. Stager (Eds.), Verification and validation of complex systems: Human factors issues. New York: Springer-Verlag.
(2) Dekker, S. (2006). Resilience engineering: Chronicling the emergence of confused consensus. In E. Hollnagel, D. D. Woods & N. Leveson (Eds.), Resilience engineering: Concepts and precepts. Hampshire: Ashgate.