We make choices that reflect our attitude to risk every day. Do I trust the crowded pub during Covid? Do I take the deserted path? Business risk is no different.
An organisation's risk culture reflects its business philosophy. A small start-up is likely willing – and able – to try new things and embrace a 'test and learn', 'fail fast' ethos. A long-established financial institution subject to strict regulations and headed by senior staff set in their ways may have a zero-tolerance policy.
Developing a successful & effective risk culture
For some businesses, risk is a four-letter word, while others actively go out of their way to embrace it. An organisation can create a risk strategy or enhance a risk mitigation culture in several ways. While there are several smaller nuances, a risk management plan boils down to five simple practices.
Without people willing to take a leap of faith, our world would look very different. But history is also a litany of failures that far outnumber successes. The key is striking the right balance.
1. Workplace risk assessments
Do you have a risk management strategy or process in place already? If so, is it fit for purpose? Things can change quickly, and what was acceptable or unacceptable once may no longer be valid. What are its strengths and weaknesses? If there has been cause for concern or any previous incidents, where can it be improved?
If there's no risk management culture, what should it look like? A robust and honest self-assessment should shine a light on the company's darkest corners.
According to Quantivate, 69% of executives are not confident their current risk management policies and practices will be enough to meet future needs, while only 36% of organisations have a formal risk management programme.
Remember that your risk culture also needs to match your stakeholders' expectations, like regulators, shareholders, and clients. A risk analysis, like the one Indeed has, can help you understand what to consider and how to collect vital information.
2. Risk management planning
The risk management plan should set out what risk looks like to your company. What level of risk is acceptable, and in what areas? Business risk covers several factors:
- strategic (the risks a company is prepared to take to grow and develop)
- operational (your systems and employees in their day-to-day roles)
Give each careful consideration as one can create a domino effect. Set out what your risk culture aims to achieve in the short and long term, and make it measurable. Invite a diverse range of people to feed into the plan.
A mix of viewpoints will help ensure it is accessible, engaging, achievable, and reflects your company's culture. Any good risk culture takes an organisation's wider beliefs, behaviours and values as its starting point to ensure a seamless connection. Agree too, on a suitable timescale for reviewing its effectiveness.
3. Employee engagement with risk management
Any risk culture needs buy-in from its people to succeed, and this starts from the top. Quantivate suggests boards devote only 9% of their meeting time to risk management, which may explain why just 6% of directors believe their organisation's board is effective at managing risk.
Even if the senior team don't directly contribute to creating a risk management culture or plan, their ratification, engagement and 'walking the walk' are critical.
The Institute of Risk Management highlights that how senior teams encourage employees to report risk events and ensure learnings are captured and shared is vital.How whistle-blowers are treated and protected will rapidly dictate the rise or fall of any risk culture.
The processes for reporting bad practices in a timely fashion should be made very clear, with an option of anonymity, where appropriate. Consider incentivising people to speak up, and include smart risk-taking in performance reviews and rewards.
Ensure the plan shared with everyone in the organisation is simple to find and easy to understand. Risk culture is only as strong as the weakest employee, so success depends on everyone knowing where they stand and what is expected of them, individually and collectively.
4. Risk strategy development
A risk culture or strategy is an ongoing process. To ensure it's working effectively, monitor the results continually and regularly. Be transparent, honest and willing to learn from mistakes. Trying to bury bad news will be counter-productive.
Workplace grapevines are notoriously effective at distributing truth and rumour, so always be upfront. This will show people internally and externally that the risk culture is working, can be trusted and is a vital tool in helping employees and the business to develop.
Create a Risk Team or Risk Champions, drawn from employees, that colleagues can approach with concerns and improvements. As well as providing a rich vein of ideas, people understand they have an integral role in the company's future direction.
Introduce regular training programmes or courses. If you have in-house expertise, create an interactive training session on recognising risks, compliance or whistle-blowing, or use external e-learning tools.
5. Risk monitoring & reviews
The world and work are constantly changing. The fast pace of technology is almost matched by its cyber risks. More people are working remotely and out of sight of managers than ever before.
It's also a volatile and increasingly polarised planet. Review the successes and failures of your risk management culture according to the timescale set out in the plans. However, if it's clear that something isn't working at the onset or external factors have suddenly changed, be prepared to take immediate corrective action.
Front-line opinions are also critical. Internal surveys can help to measure employee engagement and if they believe the policy, processes and the overall culture are on the right road.
The importance of a risk mitigation culture
An unwillingness to take risks will leave a business floundering in its less risk-averse competitors' wake – potentially leading to loss of clients, revenue and, in extreme cases, the business itself.
Conversely, too much risk can result in far-reaching legal, operational and financial consequences, causing reputational damage and eroding client confidence – possibly ending with the same severe outcome.
A robust risk-conscious culture is critical, setting out the company's appetite for taking risks, defining good, bad and smart risks, and explaining how its people should approach risk. Essentially, it should enable and reward people for taking the right risks in an informed way.
Done well, it can help drive business success. In fact, 86% of business leaders say risk culture has a major impact.
Without it, a business relies on an individual's behaviour and appetite to take risks, which can vary widely depending on their seniority, personality, or even their mood on the day.
This lack of oversight, control, or consequences can enable activities that fly in the face of a company's policy or procedures – and should ring alarm bells.
Want to learn more about Risk Management?
We’ve created a comprehensive Enterprise Risk Management roadmap to help you navigate the compliance landscape, supported by IIRSM-accredited e-learning in our Risk Management Course Library. The IIRSM approves quality content and integrates risk decision-making to help keep people and organisations safe, healthy and resilient.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.