Workplace Culture – a curious concept

Culture is a funny concept: It is neither tangible nor permanent, but rather develops and evolves over time and is a reflection of the members of that ‘tribe’. Organisations, groups and communities can all develop unique intrinsic cultures as a results of the collective actions, behaviours, norms and values of that organisation.

The fact that culture is not a tangible thing makes nurturing a ‘good’ culture hard for leaders to achieve, and very easy to destroy. Good workplace cultures can become self-perpetuating, attracting others of similar visions and values and contributing to a highly engaged workforce. In his 2013 article in the Harvard Business Review, Michael Watkins provides a great discussion on organisational culture, outlining different perspectives on what it is and how it permeates the modern workplace.

Culture is recognised as being one of the most important components of successful companies. According to James L. Heskett, culture “can account for 20-30% of the differential in corporate performance when compared with ‘culturally unremarkable’ competitors”, making understanding it essential for all leaders (HBR, 2013).

Seven dimensions of security culture

When applied to security, the concept of organisational culture is no different. According to Perry Carpenter in Forbes Magazine (2021), there are seven dimensions to security culture. I have taken Carpenter’s seven dimensions and adapted it to provide more context for risk leaders:

1. Attitudes: Employees have a positive view of security and understand why it exists. A positive culture of reporting security incidents is established
2. Behaviours: Employees conduct themselves in a manner that positively impacts overall security. Innocent, unintentional security breaches or accidents are not punished or perpetrators ostracised
3. Cognition: Employees know about security and have a high level of awareness of threats and security programs
4. Communication: Security is communicated clearly and regularly, with key messages being enforced in ways which are easily understood by all and which resonate with the workforce
5. Compliance: Employees comply with security policies voluntarily, not because they have to
6. Norms: Being conscious of security and the need for it, as well as the expected behaviours, becomes part of the organisation’s fabric. Employees who go against these norms are counselled by peers, not security, compliance or management
7. Responsibilities: Employees understand their security obligations and take them seriously. They know what to do and when, and comply with these rules and expectations

How does your organisation compare in relation to these seven dimensions? What about your previous employers? Reflecting and thinking critically about what we do and how we behave as leaders makes us think what else can we do better, and potentially enhance our culture in the process.

Six things leaders can do to improve security and integrity culture

Despite achieving a good security culture being hard to achieve, leaders need not despair. There are things we can do to improve security culture, it just takes time and effort. Listed below are six things I would encourage leaders to do to build or improve your security and integrity culture:

• ‘Tone from the top’ – what senior leaders say and do matters as just like pets or children, behaviours will be replicated. Leaders should continually demonstrate the importance of security and integrity within the business, and not just pay lip service.
• Awareness training – regular training on security and integrity is important in the workplace. People need to know how they are expected to behave, and to understand the organisations policies and accepted practices. Ideally, not all training would be computer-based as people need time to talk through scenarios and learn from peers such as via interactive, discussion based forums.
• Risk is part of the organisation’s DNA – thinking about risk does not mean being discouraging staff from taking risks. Taking risks is an important element of creativity and innovation, but ideally risk taking would be measured to avoid taking risks from which organisations or staff cannot recover. Thinking about what could go wrong (or right) and ways in which adverse consequences or likelihoods can be mitigated or proactively managed should ideally be part of the organisation’s cultural fabric.
• Penalties are not applied for accidents, near misses or unintentional incidents – rather, a constructive approach that focuses on continuous improvement and lessons learned should be taken. Inquiries into organisations with poor risk culture found that poor organisational cultures are those where blame is apportioned, messengers are blamed, and where subordinates are too scared to tell the truth to senior management for fear of repecussions. Leaders cannot fix problems they know nothing about.
• Staff feel comfortable speaking up about their peers – in my previous post on the critical path method and insider risk management, I spoke about the need for organisations to identify workers who are struggling (and may pose a security or integrity risk to the organisation by virtue of their situation). Peers who have a concern about a co-worker should ideally be able to confidentially raise these concerns without worry that the struggling co-worker will be fired or penalised, but rather supported.
• Treating people fairly – where problems or allegations do arise, the workforce must know they will be treated fairly and that the principles of natural justice will be applied to the investigation and resolution of incidents.

Further Reading

• Laker, J., Broadbent, J., and Samuel, G. (2018). Prudential Inquiry into the Commonwealth Bank of Australia (CBA) Final Report, Australian Prudential Regulatory Authority, www.apra.gov.au
• Carpenter, P. (2021). The Importance Of A Strong Security Culture And How To Build One, Forbes Magazine, www.forbes.com
• Coleman, J. (2013). Six components of a great corporate culture, 6 May 2013, Harvard Business Review, https://hbr.org/2013/05/six-components-of-culture
• Curwell, P. (2022). Applying the critical-path approach to insider risk management
• Watkins, M. D. (2013). What is Organizational Culture?, 15 May 2013, Harvard Business Review, https://hbr.org/2013/05/what-is-organizational-culture

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.