Our trio of experts share the steps they’ve taken to create a positive risk culture and how you can use these to embed risk into organisation-wide decision-making.
Organisational risk culture is a powerful thing. When it is positive, risk analysis is factored into decisions from the get-go, boards understand the value of risk management in achieving business goals, and everyone is speaking the same language.
However, when risk culture is poor, bad decisions are made, risk management is seen as a blockade rather than a valuable business tool, and companies rely on static risk tools that don’t allow them to evaluate opportunities on the horizon.
But how can risk managers influence culture to create an environment where risk-based decision-making is the norm? In September, StrategicRISK held a webinar with three risk experts to find out.
Watch the full webinar: Risk Culture - How to embed this into your organisation.
Back to basics
Working at a company like SimplyHealth, where people want to do the right thing, makes getting risk culture right easy, said head of risk and financial crime, Tom Hughes.
However, his experience working in organisations where risk culture is less defined demonstrated how sometimes a more radical approach is required.
Hughes explained: “In less mature companies, we really have to go back to the basics and look at how we can reset the risk management framework, and transition hearts and minds so that risks are understood, actively managed, and the risk management function is trusted to play an active and collaborative role.
He said building relationships is a key part of this, as is having a well-understood taxonomy of risk. But he added that workshops with risk simulations linked back to corporate objectives can be a great way to break down silos and get people thinking about risk in the right way.
“In less mature companies, we really have to go back to the basics and look at how we can reset the risk management framework”
Claire Hopper, international sales engineer at Riskonnect, agreed that having a common language is an important place to start.
She said: “I don’t think a risk manager can be aware of all risks that might impact an organisation. You need to use people to get that data in… A good first step is aligning the terminology.
”For new employees, think about having a glossary before you start speaking to people and help them understand what risk means to you.”
She added that then you can start using the data you’ve collected to identify key themes and spot emerging risks. Eventually, you can compare the cost of incidents with the cost of controls and demonstrate the influence your allies have had on helping the organisation meet its objectives.
Risk culture changes typically start at the top, which usually means you need buy-in from someone on the board. When it comes to senior managers, money talks, and demonstrating how risk management can save on insurance premiums is a great way to get their attention.
Alex Sidorenko, group head of risk, insurance and internal audit at Serra Verde, explained: “There will always be someone who is aggressively against any type of risk analysis or risk integration… What really helps is saving millions of dollars because once you do that, it’s a lot easier to sell risk management.
”This is what I usually focus on first. Once you’ve saved a few million on insurance, the buy-in from the top seems to be a lot easier.”
Hopper stressed that risk managers must demonstrate the upside of risk, showing how analysis and management can help firms leverage opportunities. This, she argued, is a great way to build allies among senior managers.
“What really helps is saving millions of dollars because once you do that, it’s a lot easier to sell risk management.”
She said: “If you start showing risk management as a money-making exercise, then the board will be more interested. We don’t see that very often.
”Everyone starts with threats, which is fine. But once you start identifying those causes in your bow tie model, you can start thinking about how that could have a positive influence on your organisation and meeting business objectives.”
For Hughes, mapping key stakeholders to understand what their attitudes and risk appetites are can help you flex your strategy and bring naysayers on board. In fact, he argued, it is probably those people who are most challenging to convince that you need to build better relationships with.
He said: “There’s a lot of people coming in and out of a business who come from different risk cultures, and have different motivations.
”When we implemented our GRC solution, we quickly realised who our stakeholders were by looking at their attitude towards risk, their history on it, how busy they are, how technologically adept they are, and how likely they are to embrace the change that we’re looking to introduce.”
Fancy a pizza night?
When looking to shape risk culture in an organisation, allies matter. Hopper recommends starting with teams that already have a good relationship with risk to get buy-in.
She explained: “I do see a lot of clients starting with the mature areas, such as the IT team. They’re naturally, whether they know it or not, mitigating risk all the time. They have a lot of knowledge to share.”
For Sidorenko, one approach to getting people engaged has been setting up pizza, beer and table tennis competitions throughout an organisation – something he described as his “most successful” strategy.
This allowed the risk team to have informal conversations with heads of departments, getting to understand their attitudes to risk outside of the bounds of formal meetings. However, he said risk managers must also go further and endeavour to create an atmosphere where risk analysis is inevitable.
“I do see a lot of clients starting with the mature areas, such as the IT team. They’re naturally, whether they know it or not, mitigating risk all the time”
He explained: “That means rewriting procurement, investment and budgeting procedures that basically say you cannot present something for approval unless it has stress tests or Monte Carlo simulations. You can’t get that without doing proper risk analysis.”
Hughes said that within his organisation, risk management has mandated that every employee has a risk-based objective in their personal development plan. While this may sound challenging, he said that most people are already managing a risk of some sort.
He added: “It could be quality, it could be helping to achieve a sales target, but when you start pinning that to the strategic objectives of the business, everything they’re doing is managing risk. Having a strategic approach to how you tackle each of those layers is how we went about [influencing risk culture].”
When it goes right
Hughes said that the ultimate upshot of shaping a more positive risk culture is that the risk management team becomes a commercial enabler, rather than a blocker.
He explained: “You’re evaluating the purpose of an activity, its alignment to the business’s strategic goals and making it really clear that you’re helping to remove boulders that could get in the way of success.”
Sidorenko added that in a strong culture, employees seek out the risk team to ask for quantification methodologies and support with risk analysis before making important decisions.
For example, at a previous company, one team was engaged enough to raise concerns around a solar generation subsidiary. Simulations and stress tests showed that the multibillion-dollar company was going to go bankrupt in months.
After being made aware of the risk analysis, the CEO could speak to the deputy energy minister, which led to a change in legislation.
“Don’t presume everybody knows the business objectives or understands what the risk terminology is.”
Sidorenko said: “The company is still alive and that was an amazing experience when somebody absorbed that culture and was motivated enough to try quantitative risk analysis to support the decision they were making.”
Hopper agreed that the benefits of positive risk culture are significant, but reminded the audience that this should be a continuous process.
She concluded: “It’s never one and done when you’re training somebody. And don’t forget to start from the beginning each time, because a year later, there’ll be new employees in your organisation and different environmental impacts affecting you.
“Don’t presume everybody knows the business objectives or understands what the risk terminology is. That’s important, otherwise, you will have people nod and agree when they don’t know what you’re talking about.
”Show people that they do understand risk management and they’re already doing it. Lastly, don’t forget that people might be shy initially, but it doesn’t mean that they’re not intelligent or don’t have valuable information to share.”
Proactive risk assessment should be embedded in every decision made at an organisation. Your job is to shape the culture to make risk a company-wide priority. Learn how in our risk culture special report.