By John Dawson, CPT & Carmel McDonald, CPT

This article focuses on the results of research conducted by Australian performance improvement consultants and Certified Performance Technologists, Dawson McDonald & Associates, which highlights the impact of organizational culture on effective risk management. At the conclusion of this article, readers are offered the opportunity to take part in a wider online study of perceptions about risk and culture. This study is a part of ISPI’s Revenue Sharing pilot and partnership with Dawson McDonald & Associates.

During the Global Financial Crisis (GFC), many organizations that had copybook Risk Management frameworks, policies, and procedures collapsed because their organizational Risk Culture did not support their Risk Management Strategy.

Risk Management is not just a set of documents aimed at compliance. Risk Management should be a culture embedded in everyone’s process when determining “how things get done around here.”

©2008–2011 Dawson McDonald & Associates

Looking at the graphic, would you say that Correct Risk Treatment and Actual Risk Treatment are identical in your organization, or does the Actual sometimes deviate? Remember, Culture eats strategy for lunch!

The new International Standard on Risk Management, ISO 31000, recognizes the importance of culture: “Management should ensure that the organization’s culture and risk management policy are aligned”. As a part of our research, we set out to explore perceptions around culture and risk by launching an online survey asking executives for their perceptions about Risk Management in their own organizations. This survey drew 218 valid responses from executives, with over 80% being from board, c- level, or middle management. Only 34% had primary responsibility for Risk Management.

Respondents came from over 180 organizations across 18 industry sectors, including government, financial services, mining, manufacturing, construction and education. 40% employed less than 1,000 workers and 44% had 100–1,000 staff.

Effectiveness in Managing Risk
There is a distinct lack of confidence in the effectiveness of risk management in many organizations. Only 43% of respondents were confident that their organization was effective in managing risk with 18% being definitely negative and 39% “fence sitting”. This is surprising, given that in the aftermath of the GFC there were vast numbers of articles about the need to improve Risk Management. Boards and executives were said to be increasing their focus on Risk dramatically. The results of our survey suggest that while this may have happened in many organizations there are still many others where Risk is yet to be taken seriously as pivotal to success.

Risk Management—Compliance or Culture?
The following graph shows a sharp divide between respondents who said Risk Management is mostly seen as “a tick the box exercise” compared with almost the same number seeing it “as pivotal to success.” Only 49 % are positive that risk is carefully considered in decisions.

Attitudes to Risk

Attitudes to RiskIn my organization, Risk Management is mostly perceived as a “tick the box” exercise completed at regular intervals for Audit/Compliance purposes or another task that distracts attention from the real work.

In my organization, Risk Management is seen as pivotal to success.

When decisions are made in my organization, the Risk Management implications are carefully considered.

Culture and Risk Linkages
While many organizations in Australia are succeeding in embedding thinking about managing risk in their culture, many others have substantial challenges ahead to achieve this cultural shift. In many organizations, senior management has not established a culture where managing risks is seen as a core part of “how things get done around here”. This is reflected in:

  • 4 out of 10 organizations regard Risk Management as a “tick the box” compliance exercise, or another task that distracts attention from the real work
  • Only 5 out of 10 organizations give the people directly responsible for Risk Management “the authority to act and the commitment/support of our management team”
  • 4 out of 10 have poorly resourced Risk Management functions
  • Only half are positive that Risk Management implications are carefully considered when decisions are made
  • 1 in 4 are positive all staff have been well trained in identifying and managing risks

Reporting Level
Being part of the senior management team makes a difference. Where the most senior Risk Manager reports directly to the CEO, Board, or Board Committee, 68% of respondents say:

  • The Risk Manager has the authority to act and the commitment/support of our management team and that
  • The Risk Management function is adequately or more than adequately resourced
  • 62% of these respondents score their organization as effective in managing risk.

However, in nearly 60% of organizations the most senior Risk Manager reports to a lower level.

Risk Culture
There is a sizeable gap between expectation and performance around Risk Culture in organizations i.e. is thinking about managing risk as part of “how things get done around here.” Based on the graph below, 77% of our respondents felt, “It is important for my organization to have a Risk Culture that is supportive of the organization’s goals and its people”. In addition, 51% felt, “Our current Risk Culture is supportive of the organization’s goals and its people”.

Risk Culture

Our experience is that all these factors are driven by the “tone at the top.” This brings us back to the Risk Culture Chain where Organizational Culture drives the Values set and acted on by the top leadership. This in turn drives the Practices in departments, units, and teams across the organization and finally the behavior of individuals, who strive to conform to the organizational “norms” of “how things get done around here.”

Leaders clearly have a credibility gap in many of these organizations between their words and actions. This in turn can be expected to have a negative impact on the management of risk.

Our field experience as performance improvement consultants is that Culture has an enormous impact on Strategy, including Risk Strategy, and often overwhelms it.

Global Survey of ISPI Members and those in the Field of Performance Improvement
We are keen to compare the Australian experience with that of other countries and ISPI has agreed to partner with us in exploring this. We would appreciate you to give us 10 minutes or so of your time to complete the survey giving us your perceptions of Risk Management in your own organization.

We guarantee complete confidentiality of your responses and only aggregate data will be used. The survey does offer you an option to request a report on the survey results by leaving your email address but this is entirely optional. The survey is open now and will be closed on March 4, 2011.

Please click on this link to go to the survey:

If you would like any additional information, please contact us at