Risk Culture in Public Organisations – a commercial view


In this we explore the role of culture, and in particular risk culture, in public organisations like Civil Service, BBC and NHS and how contemporary business ideas can benefit governmental reform initiatives.

Risk culture can be defined as the values, beliefs, knowledge, and understanding about risk shared by a group of people with a common purpose. Risk culture is an outcome of a wider cultural attitude. Root causes need to be examined to establish main drivers and this paper gives some guidance on the latest commercial thinking on this subject from business sectors which have gone through significant change to survive.

Risk culture has become a popular concept when describing the current state of perceived excessive risk facing some commercial sectors, in particular financial services. For example, the Libor investigations and mis-selling of products to consumers are highlighted as examples of excessive risk culture by the media and regulators. In the oil and gas industry, the safety risk culture was also widely discussed as a contributory factor for explosions at the Texas Oil Refinery in 2005 and Deepwater Horizon Platform in 2010.

The reality is that changing the risk culture should not be a goal in itself. The goal should be to alter tangible things Public Organisations offer to the citizens of the country that will change the way employees do their work, and gradually this will change the risk culture.

The Bow Group concludes that the government has to be bold and should look at the current skills of leadership and current organisational structures to address this important aspect. The success of the Olympic and Paralympic Games showed the value of cross party co-operation, continuity of management and accountability by non-political project leaders.

The Bow Group Policy Proposals

The Bow Group endorses the objectives of the Civil Service Reform Plan, but recommends following radical policy initiatives to expand and accelerate the culture change programme, in particular promoting risk culture initiatives to address root causes:


  1. Ring fence ‘too big to fail’ departments
    The right structure and governance is important to manage a large organisation. Current public organisations are too big to fail and some ring fencing is required to achieve efficiency and consistency in risk culture. One way to achieve this is to ring fence critical government departments. The Bow Group recommends that a ‘new’ civil service should be created for the highest spending government departments – Department of Health, HM Treasury, DWP and Department of Education. A new leadership team should be appointed (i.e. the current Head of Civil Service job should be split) and the civil service reform plan should be accelerated for these departments. The remaining departments would be managed under the existing civil service. The senior leadership of the ‘new’ civil servants should be subject to qualification and training on leadership, project delivery and risk management. We also recommend the appointment of a new non-executive Chairman and Board to oversee all ring-fenced departments.
  2. Mandatory analysis of ‘unknown-unknown’ Black Swans risks during Policy Impact Analysis
    The Bow Group recommends that it should be mandatory to discuss and analyse black swan risks (unknown-unknown) and other risks during policy impact analysis documents.
  3. Publish a risk appetite (tolerance) statement outlining what is the risk tolerance acceptable to the organisation
    The Board of each Government department should articulate a risk appetite. This means defining the boundaries to control risk and to ascertain the risk the board is prepared to accept when delivering its strategy. The risk appetite should be central to the annual planning and strategy process. It should be considered as part of formulating the mission and values for each department. At a minimum each department should have a qualitative (and sometimes quantitative) appetite statement for each of the five categories: 1) Strategy risk; 2) Reputational risk; 3) Sustainability risk; 4) Project risk; 5) Operational risk.
  4. Create innovation hubs in front-line delivery departments with local small and medium size business
    Create initiatives to promote innovation in front-line departments, as this will embed the risk taking culture. The proposal is similar to the skunk works used by Lockheed Martin during the Second World War. Skunk works’ projects were developed by a small and loosely structured group of people who researched and cultivated a project primarily for the sake of radical innovation. We propose that this should be done in partnership with local SMEs, and possibly jointly funded by both the Government and SMEs at the concept, proposition and then development stages. The objective is to radically redesign service delivery by using digital or other means.
  5. Conduct periodic risk culture surveys and create a league table of Government departments with the best risk culture
    To measure risk culture, each Government department needs to explore behaviour. These include questions about employees’ behaviour; managers’ encouragement of whistleblowing; rewarding, incentivising discouraging or punishing behaviour. A good way to assess this is measuring managers’ reaction to inappropriate behaviour like breaking rules. Would they be punished if caught? The process should assess existing strengths and weaknesses and identify areas for improvement and monitor progress. This could be achieved using online staff questionnaires that can be conducted on a cross-section of people in the organisation.
  6. Evaluate the benefits of risk registers or redraft to a meaningful shorter top 10 risks to ministers
    The risk registers at departmental levels should be summarised to create top 10-15 key risks and associated controls to match the risk appetite statements so that the Minister and Departmental Board can focus on the right risks. There should be a similar escalation of top 10 ‘heightened risks’ to the Minister. The risk registers should be based on their degree of controllability and their connection to the strategy. These are divided into preventable risks (internal), strategy risks, and external (non-preventable) risks.

Reproduced and adapted with kind permission of the Bow Group

Write a Reply or Comment

Your email address will not be published.