Risk culture is a construct in which the organization's values, beliefs, and behaviors influence actions relative to how it responds to operational risks. By reducing complexity across the organization's functions and processes, the different types of operational risk (e.g., food safety and people safety) can be assessed and managed by a single, powerful approach so that the risk culture is more mature, more effective, and more sustainable.

As an example, a multi-plant food company reduced the time that plant managers spent on food safety and people safety by reducing complexity. The complexity existed because there was a doubling up on systems, standards work, and engagement efforts related to food safety and people safety culture. To address this, a greater degree of integration of culture efforts related to these operational risks was proposed. This effort saved the company time and money.

The content in this article has been adapted from the Keynote Panel presentation at the 2023 Food Safety Summit, held in Chicago, Illinois on May 10 of this year.

Why Talk About Risk Culture?

The way a company approaches its assessment and management of risks has a direct impact on its success. We are not here to talk about "good" or "bad" risk cultures, but to offer some ideas and tools from executive leaders who have given a priority to risk culture in their respective businesses. Our intent is that others can learn from these suggestions and use them to simplify the efforts of their leaders, especially the middle managers who are most often tasked with managing operational risks in multiple formats.

Obviously, the organization also manages business, enterprise, and financial risks. Although these are outside of the scope of this article, learnings applied to food safety and people safety risks can also be applied to these other risk areas.

It is very important for senior leadership to understand risks, including how to assess and manage them, and how to set the tone for the organization around those risks—even when it is the middle managers and the frontline teams who are doing the day-to-day operational work.

The Impact of Human Bias on Identifying Risks

It is sometimes thought that risks are missed because of some error or omission in a technical aspect of a risk assessment. The lament becomes, "If only there were more technical people, or better technical people, or a more accomplished food safety/quality assurance (FSQA) organization… maybe the risk wouldn't have been missed." Yet, 54 percent of the companies assessed by Cultivate SA are weakest in the "risk and hazard awareness" dimension. This means that risk analysis is mostly conducted by the FSQA department and does not reach the senior or frontline team members.

We should recognize that risks can be hard to identify because of inherent personal and/or organizational biases and the heuristics related to them. Heuristics are mental constructs, based on one's experiences, which highly influence decision-making. These actually can be very useful for making everyday decisions—they make these kinds of decisions easier. However, heuristics also allow inherent, deep-rooted biases to affect decision-making. This happens because evaluating risks is, after all, a matter of judgment.

Many different types of biases exist. For example, a "confirmation" bias is our tendency to favor information that confirms our current beliefs—and excludes information and data to the contrary. An "availability" bias is our tendency to overvalue and overestimate the impact of things that we can remember, and undervalue and underestimate the prevalence of the events we hear little to nothing about. Hence, the availability of knowledge influences our thinking and actions. In general, our biases tend to make us underestimate risk,¹ and they tend to inhibit our willingness and ability to discuss risks with others.² If risks are not discussed, this eliminates a key way by which they are identified, assessed, and managed.

Finally, even when we might perceive a behavior as risky, psycho-social factors, such as social norms within the company, can obscure or counteract our perception of that risk.³ The same can be said for personal feelings, which can also make us blind to rational decision-making.¹ More on this later.

How Complexity Thwarts Risk Culture Efforts

Many companies believe themselves to be quite good at risk management. This is often because they have systems and procedures in place to address each risk the company might face (e.g., food, people, market, supply chain, investment). The company may have separate teams focused on these specific functional areas, because the underlying bias is that specialized teams are best equipped to manage specialized risks.

A common way to manage risks is through the use of a "compliance" approach. Simply put, this type of risk management is a process whereby risks are nominally managed through establishing and enforcing a set of rules. This makes sure that the company is compliant with a set of rules that it is being held accountable for, whether external (e.g., regulatory agencies), internal (e.g., human resources-mandated programs), or both.

In food companies, this compliance approach most often manifests itself as the food safety and people safety functions being the only ones who manage food safety and people safety risks. In fact, Cultivate SA has found that in these types of organizations, the food safety professionals often think that they can do what they want to do relative to food safety (e.g., following a compliance approach). They may tend to think they are collaborative in doing so, but in reality, they usually are not.

Compliance approaches are very common in the hospital industry—for example, checklists are used to ensure that a surgery will be successful. Compliance approaches are also used in the oil industry, ensuring that companies use best practices to discover and drill for feedstock. Yet, even though all rules are followed, disasters still happen (e.g., the Deepwater Horizon oil spill in 2010, where a drilling rig leased by BP exploded). Also, by way of example, when most people think about compliance approaches to manage risk, they think of the banking industry. Yet, the subprime mortgage crisis of 2007–2008 still lingers in recent memory. Risk management by a compliance approach did not prevent the disaster. Similar thinking is found in some food companies where an overreliance on preparing and delivering third-party audits becomes synonymous with food safety.

Rule-based risk management by itself will not diminish either the likelihood or the impact of a disaster. Equally insidious is that by taking a separate approach for each type of identified risk, the company is, by definition, increasing its operational complexity.

Simplification—Bringing Risk Culture Together

There is an increased need to simplify risk responses for middle managers since it is typically the production managers, store leaders, etc. who must turn all risk responses into actions and behaviors for their team members. The more each discipline becomes educated on the impact of culture on risks, the more complexity a middle manager must accommodate. For example, it is important to instill a personal safety mindset in sanitation workers when dealing with cleaning chemicals. They are often working under time pressure and independently, but leaving residues in hard-to-rinse areas could elevate a food safety risk.

One way to drive a simplified approach is to use a model that puts most, if not all, operational risks under a single construct. To this end, Cultivate SA has developed a model (Figure 1) showing the interrelationships among three key elements that help define an organization's risk culture, particularly as it applies to food safety and people safety; yet, it can be easily broadened into other types of risk. The model should not be viewed as a static snapshot. The process is iterative; it has no end for a reason.

Hazards, from a food safety point of view, are the classic biological, chemical, and physical risks and psycho-social risks (note that these can be generalized to other types of risk). These risks, in a corporate or manufacturing setting, are risks that affect the physical and mental well-being of the employee. These could relate to the specific work environment, the workload itself, or the conflicting demands on the employee. All could lead to the development of hazards that need to be addressed, and these could also lead to the development of work-related biases, as described above.

From a reduction of complexity perspective, identifying hazards across different risk areas can lead to better identification and assessment of where a hazard in one risk area might increase the risks in another. For example, psycho-social hazards can influence if employees have the courage to speak up—and with urgency—when necessary.

Assessments relate to the analysis of hazards and should include some combination of intuition, experience, sciences, and accumulated data from past actions. Assessments should also include recognized biases. Best practices now include the use of artificial intelligence (AI) and machine learning (ML) tools. These tools permit much more integration of data, allowing patterns and insights to emerge that may not have been noticed before. We will elaborate on this later.

Very important is a caution that the organization should not rely on the tools themselves or the data to do the risk assessment. Assessing hazards depends on everyone in the organization weighing in on them—and not just the food safety or people safety functions!

Hazards become risks when severity and likelihood of occurrence are assigned to each hazard. Many companies use a classic grid to plot hazards and their importance. In the context of risk culture, this should also include all operational risk areas and representatives from "top to front" and across functional areas. As such, we advocate re-purposing the HACCP Team and the Safety Committee to a Risk Team with clear social norms around contributing, challenging, and using science and data.

Without facts and the right data in the assessments of hazards and risk culture, risk responses can be misleading and, contrary to intent, can increase operational risks. One way to keep this on track is to make the assessments personal, such as how they relate to one's family and friends (at work or at home). This can help make it so that teams want to take care of each other, as this helps make risk awareness a personal responsibility.

Furthermore, assessments can be simplified by themselves. For example, Maple Leaf Foods uses a total recordable incident rate with the same framework for food safety, quality, and sanitation. This allows the use of a single number for each, reportable monthly.

Responses are the decisions that can and should be made on how to manage risks, how to communicate with stakeholders about them, and to what degree the company is comfortable taking on different levels of risk (a so-called "risk appetite"). Given that the company is managing financial risks in addition to operational risks, priorities need to be set with all of these risk levels taken under consideration collectively.

Setting priorities can be difficult since it requires balancing risks across multiple fronts (financial, employee, environment, food). A reminder is that this is everyone's responsibility—not just the CEO or the senior management team, but also the ongoing responsibility of the HACCP Team, Safety Committee, or Risk Team to educate and inform both senior management and frontline teams. Yet, the senior management should also be regularly incorporating risk discussions and data in its setting of food safety strategies. The broader the discussions (e.g., corporate board, executives, leadership, frontline), the better the chance of achieving the right balance of risks. For example, OSI Group uses a quarterly meeting to bring together people from all disciplines, giving them an invitation and space to speak up.

Data, AI, and ML

Data collection is so important to timely, accurate, and actionable assessments that we think this is worth elaboration. AI and ML are technologies now readily available. Technology adoption is a journey, but now is the time to migrate away from spreadsheets as the sole repository of the organization's data, especially operating data related to food safety and people safety incidents. According to the attendees at the Food Safety Summit's Keynote Panel, more than 65 percent of them are using spreadsheets as their main data-management tool. Moving past manual entry of data into spreadsheets leads to better accuracy, as well as better records for later analysis. This includes the use of automatic digital monitors on the production line to achieve a monitored process with relevant metrics.

With more data collection, however, comes the challenge of determining which data are the most relevant for risk assessment and which data are the most useful for decision-making. Wawa Inc. uses Monte Carlo simulations as one of several tools to help apply established metrics to potential and real-life scenarios to better understand the impact of risk. A benefit of assessing different scenarios is that this allows multiple food safety issues to be examined simultaneously, which helps in making decisions about risk tolerance and how to potentially further mitigate or transfer the risk. Utilizing this approach for the top strategic and operational risks across the company allows the company to compare and discuss risks utilizing a uniform approach with senior management and the board.

Maple Leaf Foods uses electronic workbooks on the shop floor to immediately funnel data into an enterprise management system. The workbooks are used by both QA and operations team members, with customized user interfaces to streamline the work. This simplifies not only how data are collected, but also allows for easier "translation" to senior management.

Simplification—Why It Works

Looking at problem-solving across all risks, collectively, reduces complexity immediately because interactions between risks are automatically taken into account. This is much more powerful and efficient than looking at individual risk areas—e.g., food safety only. One well-known food company recently took this principle to heart by reducing its risk management teams from three (including a HACCP Team) to one (a Risk Team). By doing so, it realized a 23 percent reduction in time spent managing safety and food safety risks. This is powerful. The biggest obstacles to getting results are often the individual functions, the sub-cultures, professional pride, and the organization's history of compliance. Simplifying the overall process helps mitigate these challenges.

Summary

Managing risks is very difficult because risks change, new ones are identified or move into the business, and there are so many of them. Risk assessment is always a dynamic process. Finding ways to reduce the complexity of identifying, assessing, and managing those risks can pay out not only in reduced time spent on risk management, but also in handling risk in a more efficient and effective fashion.

The model proposed above provides a simple construct to allow such thinking to occur. Hazards need to be assessed (food safety or otherwise), and then appropriate responses need to be taken. Such actions need to be owned by all levels and functions of the company, from the senior leadership level to the frontline team members. Remember, without engagement from leaders in understanding and assessing hazards, risk responses (i.e., how risks are managed and communicated) can be out of line with everyday operations. This often means that they are less likely to be well understood and more complicated than they need to be.

Things You Can Do Tomorrow to Reduce Complexity in Risk Culture

Strategic suggestions for reducing complexity in your risk culture include:

• Integrate all safety topics (financial, people, food, sustainability) into one system/approach so that it is easier for the CEO to understand and make decisions.
• Understand how the organization currently assembles and uses data—is it a standardized and consistent approach, or not? Can the process be simplified?
• In addition to the three "classic" HAACP risks (biological, chemical, physical), are you integrating them with psycho-social factors?

Tactical suggestions for reducing complexity in your risk culture include:

• Sit down with your leader of personnel/employee safety to see what issues are in common with food safety needs.
• Talk with your IT people to gain new ideas on how data can be stored, accessed, and studied.
• Identify three social norms within your organization that might be affecting how food safety risks are assessed in terms of likelihood of occurrence.

References

1. Pillay, Srini. "A Better Way to Think About Risk." Harvard Business Review. December 23, 2014. https://hbr.org/2014/12/a-better-way-to-think-about-risk.
2. Kaplan, Robert S. and Anette Mikes. "Managing Risks: A New Framework." Harvard Business Review. June 2012. https://hbr.org/2012/06/managing-risks-a-new-framework.
3. Veflen, Nina, Joachim Scholderer, and Solveig Langsrud. "Situated Food Safety Risk and the Influence of Social Norms." Risk Analysis 40, no. 5 (May 2020) 1092–1110. https://doi.org/10.1111/risa.13449.