2 minute read
Editorial
Editorial
Editor Arthur Piper
The trouble with culture
I was talking to a senior figure in the internal audit profession recently and he expressed some doubt whether many financial services businesses were resilient to failure. True, they have increased the capital they hold, put in bigger and better risk and internal controls teams, and have closer contact with regulators.
Those systems have certainly improved the way those organisations manage risk. But if there are devious or lazy people who circumvent, or don’t follow, controls procedures, they are back to square one. “That’s why,” he said, “it’s your culture that’s the best risk management system there is.” People have to care enough to act upon what they notice when things go wrong.
What do risk managers and internal auditors know about culture? How many have training in anthropology, psychology and sociology? And are there systems in place to capture cultural metrics?
I invited professor of sociology at MIT Susan Silbey to share some thoughts with us – you’ll find her article on pages 18-22. She looks at the issue through the lens of safety culture. Nobody was talking about risk culture before 1980, she says, but now it’s a major topic. She believes that this has occurred because of major technological catastrophes and risk management has been an empirically-oriented response to those incidents. The thinking seems to be, if you can measure what goes wrong, you can prevent it.
She gives short shrift to this approach. History has proved it to be wrong. It tends to miss those aspects of disaster that are hard to pin down precisely because they can’t be quantified. In addition, trying to impose risk culture from the top can serve to put responsibility for preventing accidents into the hands of those at the bottom of the organisation with the least power to prevent it.
Alex Hindson has kindly volunteered to offer his own thoughts on how risk managers can get to grips with these issues on pages 24-27.
But it seems to me that the financial regulators are asking risk managers to do the impossible. If culture is not as quantifiable as it has been assumed, how can it be managed? And who has the professional qualifications to do so? Are the regulators laying down yet another faulty model in the history of failed attempts to manage catastrophe?
Arthur Piper Editor
