Addressing the Unavoidable: Why a Risk Culture is Important

The Institute of Risk Management (IRM) defines risk culture as “the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose.” Risk culture matters because risk management cannot function in a vacuum, and you’d be hard pressed to find a program that has survived when leadership has failed. It follows processes that advise, inform, review, measure and monitor. It does not control or make decisions; those are tasks for organizational leaders. An effective risk culture is critical to the overall success of the risk management process.

It is crucial to have an agile corporate environment in place to ensure that proper attention is given to protecting enterprise value. Such an environment will include management’s operational style, the incentive and compensation structure, a total commitment to ethical and responsible business behavior, transparent reporting, clear accountability for results and other ethical functionality of the organization’s culture.

An effective risk culture does the following:

• Recognizes the reality that risks exist and promotes discussions about them
• Fosters an environment of timely response to risks as they arise 
• Seeks out information about risk from all levels of an organization 
• Designs appropriate risk management policies and processes  
• Holds personnel responsible for adhering to those policies and processes

When firms have not created a risk culture, decisions are often made that are not in line with the company’s policies and procedures. A white paper published by the IRM states that organizations with inadequate risk cultures inadvertently set themselves up for operational issues. Permitting activities that are at odds with company policies and procedures, or failing to  address them once they’re discovered, sets a tone for the rest of the organization to ignore or disregard issues that could lead to serious consequences. “At best, this will hamper the achievement of strategic, tactical and operational goals. At worst, it will lead to serious reputational and financial damage,” writes the IRM.  

Creating an Effective Risk Culture

Successfully creating a culture of risk requires patience. Changing the climate and culture of any organization is a multi-year process. This will not transpire during one board- or staff meeting. It won’t happen in a memo. Evolution takes time—time to educate an organization and for leaders to demonstrate the importance of supporting these new initiatives.

Here are two action items to consider as you build:

Identify your current risk culture. Knowing where your organization stands (concerning risk) will help develop an understanding of the existing maturity level, and where the bar should be set. Creating core statements about the values and desired culture will allow for clear communication and easy adjustments.

Get executive leadership involved. This type of change must come from the top down in order to be effective. CEOs and CFOs who want to initiate the process must build a consensus among the company’s top leaders. They must come together to agree on the type of culture they want for their organization.

Moving Forward

A company that seeks to improve its risk culture will need to change the way it approves digital transactions, including fund transfers or activities at banks, capital projects in heavy industry or even outpatient procedures at hospitals. This will allow for standardization and will ensure proper organizational buy-in.

It’s important to implement a robust and agile platform that helps automate processes and procedures, as well as educate and support your organization as it adapts to a changing culture.

Risk management needs to be clearly and regularly communicated throughout the organization. Spending time developing training sessions to educate the organization on proper roles and responsibilities of risk management will pay off greatly.

What Can Risk Culture Look Like?

A successful risk culture has these characteristics and if one begins by implementing these you will jump start a culture that will save you from a great deal of pain:

• Acknowledges risk management by the top-level executives
• Follows ethical principles for decision-making
• Reports all risks and learn from mistakes
• Responds to risks that easily escalate up the chain of management (without fear of blame or retaliation)
• Understands the risk level of every process or activity
• Presents accountability and management of risks throughout the organization at every level
• Encourages appropriate risk-taking and hold people responsible for poor risk-taking
• Values employees with risk management skills and knowledge
• Encourages training and education on risk management skills
• Challenges the bad status-quo with diversity of experience, perspectives and proper re-education

Putting the Right Protocols in Place

When altering an organization’s risk culture, it’s helpful to have the right protocols in place that will increase risk visibility for every employee. This will add great benefits to your firm by protecting assets and reputation from being featured in headlines; one doesn’t have to look hard to find a great number of instances of fraud, employee scandals, misconduct and more in the media. These all indicate a significant failure of risk culture. Having a strong risk culture will allow you to prevent potential disasters. Implementing the right protocols, ones that define potential risks associated with activities, and allows stakeholders across the organization to rate risk accurately, emphasizes the desire to create a robust risk culture.