Before we answer this: What is mindset and why is it important?
According to the Cambridge Dictionary, mindset is a person’s way of thinking and their opinions (dictionary.cambridge.org). The Oxford Dictionary defines it as the established set of attitudes held by someone (en.oxforddictionaries.com). Wikipedia defines it as a set of assumptions, methods, or notations held by one or more people or groups of people that is so established that it creates a powerful incentive within these people or groups to continue to adopt or accept prior behaviors, choices, or tools (en.wikipedia.org).
Organizational culture is regularly cited as being critical to effective risk management. The Bank of International Settlements references culture in two of the five principles for effective corporate governance (Banking Committee on Banking Supervision (2015), Guidelines: Corporate governance principles for banks, www.bis.org). David Hillson published a paper on risk culture in which he puts forward the A-B-C model of culture: where Attitudes shape Behaviour, which forms Culture. (Hillson, D.A. (2013) The A-B-C of Risk Culture, www.pmi.org). Mindset and Attitudes are synonymous in this context. Understanding Risk Mindsets, based on Hillson’s A-B-C model, is essential to understanding and ultimately shaping risk culture.
Therefore, let us define Risk Mindset as the way an individual thinks about risk and how that influences their behaviour. Let us acknowledge that these mindsets are essential to effective risk management.
Risk mindsets can, based on this definition, be assessed on a number of dimensions. The following are my views on the risk mindsets which are most important to effective risk management. In putting these forward, I acknowledge that other mindsets exist. I do not intend to be exhaustive in my discussion, but rather, I aim only to put forward a view of risk mindsets which I find useful and I hope that you will too. In this article, I will explore risk mindsets from the perspective of accountability for risk.
My model of risk mindset focuses on accountability. It generally recognizes there are two key roles that an individual can have in managing risk: The first role is the person whose decisions and actions create and directly influence the risk; and the second role is the person whose decisions influence the first role. In both roles, this model of risk mindset applies.
My model of risk mindsets recognizes the different perspectives these two actors can have towards their accountability for risk. I identify three different mindsets that either actor can have which represent a continuum from an immature to mature risk mindset. I label these three:
1) Seeks Approval
2) Follows the Rules
3) Makes Risk Aware Decisions
In the Seeks Approval Mindset, the first person seeks the approval of the second person. An example would a product manager who is developing a new product and seeks audits approval of the product. A Seeks Approval Mindset, consciously or not, places accountability for risks taken on the second person. They may or may not be very aware of the risks, however the key feature of the Seeks Approval Mindset is that the first person seeks permission and in doing so effectively transfers accountability for the risk to the second person. The second person, the auditor in this example, who approves the decision is in effect taking responsibility for the risk, although they may not fully appreciate this. Simply said, in this case, when things go wrong, the first person can point to the second person and say that they approved the decision. This mindset was the norm for many years and still is the norm in many cases, sometimes embedded in organizational procedures. Now, we should acknowledge that the Seeks Approval Mindset is appropriate when the second person is the direct supervisor of the first person. An effective risk mindset requires a Seeks Approval Mindset aligned to the managerial spine, but not to corporate support roles, in which case it is an abdication of responsibility.
The Follows the Rules Mindset has the first person taking on more accountability but still not fully being accountable for the risks. In this mindset, the first person looks to the second person to instruct them. The first person understands and accepts that they make the decisions and they take the risk. They look to the second person to provide rules (such as policies) and to tell them what is required. The first person focuses on complying with the rules. Rules are important as a tool for the managerial spine to manage the organization. The important characteristic in the Follows the Rules Mindset is that the first person measures effective risk management by their adherence to the rules. For the second person, they too are focused on rules, often regulations, and promoting obedience in the organization. In reality, rules are imperfect. Obedience to the rules is not the same as effective risk management. The Follows the Rules Mindset focuses on following the rules but has not truly taken accountability for the risk. This mindset builds on the Seeks Approval Mindset, understanding Audit’s role to review their actions after the fact.
The Makes Risk Aware Decisions Mindset is the mindset we want to achieve. In this mindset, the first person embraces the risks (meaning uncertainty) in each decision and sees the opportunities and hazards. With this mindset, risk information is used to enhance the information used in every decision, leading to better decision making. On a continuous basis, the first person actively seeks the advice of the second person and thoughtfully considers that advice in the broader context. For the second person to have this mindset, they also understand and prioritize the organizational goals while clearly understanding that they provide a specific type of expertise. The second person proactively anticipates the needs of the first person and volunteers useful advice aimed at enhancing organizational success. In the Makes Risk Aware Decisions Mindset, the first person embraces being fully accountable for the decision and is supported by proactive subject matter experts who volunteer timely and useful advice. In this Mindset, both Actors embrace the positive aspects of the other two Mindsets: They value Audit’s reviews and assurance as feedback on their decisions, and the embrace the value of rules as limits on decision making.
It is possible, in fact desirable, to develop an organization where the broadly held mindset is the Makes Risk Aware Decisions Mindset. An organization which has achieved this mindset is enabled to pursue opportunity and is set up to maximize success.