In any organization, risks are taken on a daily basis. No one could hope to be profitable without them. However, if risk-taking becomes too extreme, it could lead to customer distrust, employee activities that go against stated values, or even the end of operations. Risk-taking doesn’t necessarily lead to financial or reputational damage, but it still has the potential to negatively impact goal achievement. On the other hand, a risk culture that is too strict can take away any potential benefits of risk-taking, such as significant growth. Organizations must strike a balance by defining and implementing a strong risk culture: 86% of business leaders say that culture has a major impact on success.
Culture is one of the most difficult aspects of an organization to change, as it is so deeply rooted in day-to-day activities and can be hard to identify. However, risk teams can begin by considering the following steps:
1. Evaluate the Current Culture
Before implementing a risk culture, the risk team must evaluate the current culture. Even if there’s no formal culture, many employees may have the same risk attitudes and preferences. Some areas may already be strong, while others may present vulnerabilities that need to be fixed. Determine the impact the current culture has on the activities and accomplishments of the organization. What are its strengths and weaknesses? Does it make sense based on the industry and organizational goals?
Different types of organizations require a particular level of risk appetite. A start-up business, for example, will have a much higher tolerance than an established accounting firm. Depending on size and strategic goals, the risk team may have to shape the culture to complement the environment and accomplish objectives.
2. Plan a Cultural Change
Once there is an idea of the current culture and where it is lacking, the risk team can work on improving it. Perhaps employees need stricter guidelines, or new tools and processes can be implemented. The organization may also consider using new measures and indicators to track the success of risk management initiatives.
Culture change is a significant shift and it needs to be treated seriously. Create a plan with benchmarks and deadlines to measure success. Culture changes often take place through team activities, training, and increased emphasis on key values. Once the change has been successfully implemented, the team must continue to monitor the risk culture and make any changes as needed.
3. Gain Top Management Support
No significant change can take place without the support of top management. It is up to the risk team to present the need for a culture shift to executives by demonstrating how it will benefit strategic goals and creating urgency for change.
4. Set Expectations
An organization with a strong risk culture will have a stance on strategic goals, risk appetite and tolerance, and key values. All employees should understand and be motivated to comply with these guidelines; in some organizations, it may be best if the majority of workers hold similar attitudes regarding risks and ethics. However, it is important that there is at least some level of diversity among perspectives to prevent the organization from becoming stagnant or distanced from the current environment.
The new culture should be formally documented and embodied in the day-to-day actions of the organization. Managers should give both new and experienced employees values and expectations to follow.
5. Prioritize Risk Management
In order to create a strong risk culture, executives and board members must place risk management as a high priority. Risk management is no longer treated as an individual department, but an aspect of every activity. Top management can support this by setting an example of ideal behaviour, proving that a risk culture is vital for the success of the organization, and motivating employees to take action.
Further, incentivize employees to embody the new risk culture: reward appropriate risk-taking and link performance to smart risk-taking. In some organizations, such as P&G, the employee or team that had the biggest failure and insight are recognized by awards. Employees who are either too risk-averse or too reckless should be educated on their mistakes and taught to work in a way more appropriate to the risk culture.
6. Provide Training and Development
Risk management must move beyond simple awareness to active and proactive behaviour. All employees should, through training, understand the importance and value of managing risks so they can act appropriately in their day-to-day work. Base decision-making on data and a consideration of potential risks. Ethical training is also a big part of many risk management programs. Above all, employees must commit to continuous learning and adaptation as the risk environment is constantly changing and evolving.
Employees in every department, from marketing to accounting to operations, must begin applying risk management techniques. These skills can no longer be isolated in a single department. For true effectiveness, universally adopt and apply them across the entire organization.
7. Develop Communication
Communication is key for any strong culture. Share information transparently and honestly, with employees of all levels comfortable taking responsibility for their actions. Management should encourage the reporting of mistakes, sharing of negative information, and whistle-blowing so undesirable behaviour can be detected and resolved before it becomes a larger issue.
The development of an excellent risk culture is only one step in an organization’s process of effectively managing risk. By doing so, the risk team is ensuring that all employees are on the same page and will grow the organization safely.
