Dr. Hole is a Continuous Improvement evangelist that talks about linking Continuous improvement and Risk Management. By linking the two areas one is shifting from a reactive approach of controlling variances, to proactively eliminating potential sources of failure. Continuous improvement, in regard to organisational quality, risk and performance, focuses on improving customer satisfaction through continuous and incremental improvements to processes, including the removal of unnecessary activities and variations.
Risk management is part of a continuous improvement approach. The ongoing identification and treatment of risks is reinforced by mapping major risks for the Group and its units. The Risk Management Department designs the processes to be implemented in each organizations and operational unit and assist and monitors its implementation by management. It steers the alert procedures and crisis management, both of which are the subject of regular simulation exercises.
Some argue the importance of culture to an organization’s enterprise-wide risk processes and compliance standards. Identifying what factors make an organization’s culture strong from a risk standpoint and how they can be aligned with risk and compliance initiatives can be challenging. However, Dr. Hole is of the meaning that even more challenging is how companies can go about improving their risk culture and measuring progress over time.
Some years ago Dr. Hole started with continuous improvement in an electrical company. In this case it was the turning point for the group management of the company in rethinking the role of an organization’s improvements and risk culture. Perhaps the most important lesson from that period was that a strong improvements and risk culture should permeate all levels of an organization. As a starting point, it’s important to realize that improvements and risk culture should affect everyone, not just the quality and risk function. Continuous Improvements, Governance, Risk and Compliance practice is also to a large extend determinate on the organization’s culture manages risk when the organization is under stress. For some companies, their continuous improvements and risk culture can be a liability. For others, it can provide both stability and a competitive advantage.
Dr. Hole has worked with continuous improvements and risk management within different areas, everything from logistics, distributions, accounting and finance, electrical companies to hospitals. How well organizations develop a risk culture can vary greatly, but among organizations that excel at it, there are certain common features (the electrical and hospital sector has much of the same understanding of risk management). Dr. Hole generally assessing how strong the company’s risk culture is, by understanding how an organization allows and responds to challenge in general—whether it’s a challenge to a policy, an action taken by the organization or other aspect. Often Dr. Hole sees that the middle management are not being comfortable by the way they are challenged and how they respond to it. Especially in a group environment, it can reveal important aspects of organizational culture, and ability to improve, change and focus on risks. Dr. Hole is of the opinion that it is easier to build a good culture of risk management through continuous improvements.
Organizations who has a strong and positive culture for change includes:
- Commonality of purpose, values and ethics: The extent to which an employee’s individual interests, values and ethics are aligned with the organization’s risk strategy, appetite, tolerance and approach.
- Universal adoption and application: Whether risk is considered in all activities, from strategic planning to day-to-day operations, in every part of the organization.
- A learning organization:How and if the collective ability of the organization to manage risk more effectively is continuously improving.
- Timely, transparent and honest communications:People are comfortable talking openly and honestly about risk, using a common risk vocabulary that promotes shared understanding.
Three Steps of Continuous Improvement of an Organization’s Risk Culture
Improving risk culture is a process that can be separated into three stages, each with its own components: cultural awareness, cultural change and cultural refinement. An organization’s initial focus should be on building cultural awareness, predominantly through communications and education. Cultural improvement will likely require meaningful changes to established ways of operating.
Step one: Building Cultural Awareness around continuous improvement
In the cultural awareness step, companies are establishing their risk management expectations for the organization and defining roles and responsibilities around risk management. Companies at this stage are communicating clearly and continuously to their employees what their expectations are. Companies are taking the time to educate their employees either through communications or through formal training, so they understand how to meet the organization’s cultural expectations.
The components of building cultural awareness around continuous improvements include:
- Delivering communications from leadership using a common risk management vocabulary.
- Clarifying risk management responsibilities and accountabilities.
- Conducting risk management general education and customized training programs based on employees’ roles.
- Embedding risk management into induction or onboarding programs.
- Refining recruitment methods to include risk management capabilities.
Step two: Changing an Organization’s Culture
At a more advanced level, organizations approach and embrace the cultural change stage, where they foster an environment that both recognizes and rewards people for paying attention to risk, including knowing how to challenge the status quo constructively. It’s at this stage where organizations develop motivational systems, both positive and negative, to reward the right kind of behavior or to penalize the wrong kind of behaviour. We see a keen focus on talent management trying to get the right people into the right positions to drive the right results. Another hallmark of this stage is the emphasis on the ethical and compliance standards that are important to the organization.
Some important components of changing an organization’s risk culture are:
- Creating a culture of constructive challenge.
- Embedding risk performance metrics into motivational systems.
- Establishing risk management considerations in talent management processes.
- Position individuals with the desired risk orientation in roles where effective risk management is critical.
- Reinforcing behavioral, ethical and compliance standards.
Stage three: Refining the Organizational Culture
In the third stage, organizations are getting more experienced and mature at their cultural development, trying to monitor cultural performance versus expectations. And those expectations can be set by various stakeholders, including employees, management, the board of directors, investors and analysts. At this stage, companies are engaging in adjustments of people, strategies and communications in order to produce the cultural outcomes that they desire. Companies that can demonstrate that they are both learning and have the ability to adjust and move on are fairly far down the path of the cultural road map.
Steps that are typically taken during this stage include:
- Integrating risk management lessons learned into communications, education and training.
- Holding people accountable for their actions.
- Refining risk performance metrics to reflect changes in business strategy, risk appetite and tolerance.
- Redeploying individuals to reflect changes to business strategy and priorities.
Once the desired risk culture has been established the organization should continually refine it to reflect ongoing changes in business strategy.