We believe that risk, compliance and performance management has traditionally assumed that people’s behaviour and the impact of that behaviour can be predetermined and documented as a set of requirements that can be subsequently audited and risk assessed; what some people would call a tick-box approach. Whilst this manages what is easily visible and looks at what has happened in the past, it is an approach that offers little in understanding the impact of risk to compliance and business performance posed by how people behave.
As examples, subsequent investigations into operational, conduct and credit risk in cases such as the Financial sector, Stafford Hospital, Deep Water Horizon Grenfell Tower, always reveal the cultural conditions that caused systemic failure were largely invisible to management. By the time poor performance appears on a KPI it is, of course, too late, the damage has been done and only the consequences of risk and compliance can be managed, such as death, loss of brand, fines, profitability etc.
Therefore, the current risk, due diligence and audit methodologies are only picking up on what is easily visible, a backward looking part of the risk, compliance and performance picture. To complete the risk picture and close the gap there is a need to understand what is really happening within the business as normal, i.e. measure culture.