How to Create a Positive Risk Culture

There are several risk management solutions that organisations can implement to strengthen their organisational culture to create a positive ‘risk culture’ outcome.

These organisational practices include:

Create an accountable organisation.
Implement the appropriate organisational design.
Create awareness of the strategic benefits of risk management.
Create an effective risk governance structure.
Create an effective risk function.
Hire the right personality to head the risk function.
Create a just and psychologically safe culture.
Formalise informal risk communications.
Create clear escalation and reporting pathways and trigger points.
Simplify risk management tools, activities, and processes.

Create an accountable organisation

Organisations and management teams must be clear about what success looks like, how it’s measured, and who’s accountable for it while making rewards (and punishment) dependent on accomplishing those results.

Link accountability and reward with performance and risk management to drive positive organisational performance and success given that risk management is about the achievement of objectives.

If it is not clear who’s accountable for a specific outcome, chances are it won’t be achieved. Without clarity as to accountabilities, risks will not be identified and managed.

Accountability, empowerment, and trust must start with the Board and executive management. These go right down to every individual in the organisation. Without an organisational-wide culture of holding individuals to account and rewarding them for positive behaviours and results, organisational performance will suffer. Risk will not be identified and managed.

Empower and trust people to utilise their risk judgment and appetite to achieve the best outcomes for the organisation. This creates agility and flexibility to innovate, adapt and grow in today’s challenging operating and business environment.

Implement the appropriate organisational design

Implement organisation models and structures that will empower individuals, clarify what’s important to organisational success, and assign accountability and responsibility in a way that works for cross-functional teams, projects, and solutions.

Always start with the work itself. Determine what needs to be done to achieve the organisational vision and mission. Identify the outcomes and performance metrics that will define success (i.e., what does success look like and how do we measure success). And define the required capabilities, skills, and experiences that are needed to perform the work and determine who is accountable for the work and success.

The organisation design must excite, engage, and empower people and teams; to give them a sense of autonomy, accountability, and ownership, and encourage continuous creativity, growth, and flexibility.

There is agility and flexibility in delivering the agreed outcomes when there is accountability, autonomy, and ownership.

Create awareness of the strategic benefits of risk management

Risk and risk management are not always viewed positively.

While regulation and compliance remain key drivers for board-level involvement in risk management, it is vital to create awareness of the strategic benefits of risk management in helping boards and managers exploit opportunities to exceed their stated objectives.

Create diversity in boards’ risk skills, knowledge, experience, education, and training. This helps to develop a collective consciousness that allows a board to identify changes in risk exposures and respond appropriately.

Set a consistent ‘tone at the top”

Boards and executives should be mindful of the interrelationship between the embeddedness of risk in their discussions and decisions, and its embeddedness in the organisation itself.

Consistently committing resources and setting the ‘tone at the top’ will go a long way in creating and sustaining a positive ‘risk culture’.

Create an effective risk governance structure

Boards create governance structures and use committees (e.g., risk, audit) to best support their decision-making and oversight over strategic matters and risks without delegating their accountability. They establish clear and transparent lines of communication between themselves their committees, and the subject matter experts supporting those committees.

The risk committee can act as a filter for the board. This enables a more succinct and strategic discussion to take place at the board. The committee chair distils the key points from the discussion to the board. Through the active role of the chair, scrutiny of risk areas and even emerging risks takes place.

Create an effective risk function

Create a forward-looking risk function that is focused on trending or emerging strategic issues and risks in addition to being a ‘trusted friend’ to Line 1 business owners.

Depending on organisational requirement and design, the risk functions can play one or more roles from an organisational design perspective – as a business partner (Line 1 role), an overseer (Line 2 role) or an independent facilitator (Line 2 role).

Use tools like scenario planning to overcome the potential failure to take known risks into account.

Hire the right personality to head the risk function

Personalities matter in performing successful organisational roles. Without the right personality or person that can deliver the intended purpose and direction of the risk function, it is going to be difficult the set the right foundation for organisational success.

If the focus of the risk function is to be an independent facilitator, hiring an introvert or a hard-nose person in the role of the Chief Risk Officer can be counterproductive.

Worse still, combining the risk and audit functions under a Chief Risk and Audit Officer can also be counterproductive in many instances. A career auditor cannot effectively have forward-looking risk conversations while generally looking back with a stick in hand.

No business owner will open up in frank discussions with an auditor knowing that their actions will be audited and reported in the future!

Create a just and psychologically safe culture

Create a culture, or even a just or psychologically safe culture, in which people sincerely believe that it is right to communicate problems promptly to the next level of management without fear of an aggravation of the problem.

People need to feel psychologically safe to report and escalate risky decisions, concerns, or even poor behaviours without fear, favour, incrimination, and retribution.

Give Chief Risk Officers decision-making powers and veto rights over transactions considered too risky rather than passively monitoring risk measurement and analysis. Diversity in decisions is important for complementary teams.

Formalise informal risk communications

Outside formal reporting mechanisms, boards establish lines of communication between the executive and non-executive board members, as well as between board members and sub-committees, that will enhance deeper and meaningful risk discussions at the board level.

Given the effect of static risk data and organisational complexity on decision-making within the boardroom, risk committees create a vital conduit and interaction through which there is timely flow and filtering of relevant information to the board.

While the information may not be accurate or complete, it has to be timely.

Create clear escalation and reporting pathways and trigger points

Proactive escalation, reporting and communication are far better than unpleasant surprises that can require costly corrective actions in the future.

Develop and implement clear trigger points or business rules for escalating risks, issues and concerns up the organisational hierarchy. This is part of the escalation procedures that include defined escalation and reporting pathways.

For example, informal discussions with team members reveal widespread dissatisfaction with pay, terms, and conditions among staff across the organisation. The threat is escalated to the HR department.

No matter where the person is in the organisational chart, they must know how and when to escalate and which pathways to use. They also need to know what issues should be raised, to whom and within what time frame. This avoids the failure in communicating risks and issues to top management.

To make risk escalation work, we need clear thresholds between the different levels in the organisation. Everyone knows where each risk belongs, without confusion or ambiguity.

Regardless of where a risk is identified, it needs to be managed at the right level. This is defined by measurable thresholds based on the objectives that would be affected if the risk occurred.

Having identified the right level at which the risk should be escalated, the manager needs to communicate the risk to the new risk owner and ensure they actively accept responsibility for its management. At this point, the risk can be removed from the risk register and entered into the risk register at the level where it belongs.

Risk escalation works best when these factors are in place:

Open culture that encourages sharing of information across departments and organisational levels.
Risk information and discussion are on the meeting agenda at all levels of an organisation.
Organisational members acknowledge that risk management processes at all levels are sources of valuable information relevant to decision-making.
Employees and mid-level managers understand that they may be sitting on the only source of risk information.
Attention is given to how risks are communicated (i.e., format, length, language, etc.).
Positively acknowledge every risk that is escalated (i.e., saying “Thank you”).

Simplify risk management tools, activities, and processes

Co-develop and implement simplified and user-friendly risk management tools, activities, and processes with active input from users. This will significantly improve employee experience and formally increase the likelihood of ‘doing’ risk management – they want torather than have to do risk management.

This co-design and co-ownership will create a positive ‘risk culture’ for the organisation.