Risk culture: building from within
Today, more than ever, an organization’s ability to empower employees to raise issues in a timely manner is key to building a strong risk culture—a new and necessary layer of protection against the myriad risks we face daily. Here, J.F. Bureau, Senior Vice President and CRO at PSP Investments, explores how to build a solid risk culture from within. J.F will be presenting on assessing the importance of building a strong risk culture that permeates the organization during RiskMinds International in Amsterdam, Dec 3 -7.
In the past, organisations set a tone from the top in defining risk limitations, along with policies and procedures for risk mitigation. They shared risks and opportunities at the highest levels only, on a need-to-know basis. However, in today’s world, with a broader spectrum of risk than ever before—not to mention an increasing rapidity of events and more exacting stakeholder expectations—this approach is no longer sufficient, especially for organisations which operate at a global level, across numerous asset classes and sectors.
To achieve their mandate and deliver on their commitment to stakeholders, organisations must follow a disciplined, integrated approach to risk management—taking calculated risks and managing them appropriately.
All organisations are subject to this increased flow of internal and external risks and opportunities that cross sectors and geographies. The most effective method to fostering proactive risk mitigation is to ingrain risk within the organisation’s culture—by empowering all employees with this critical responsibility.
Employees must know they are an organisation’s first line of defense.
This short article will connect the latest in the “culture” theory of risk, with practical examples that organizations can easily apply. Note: these advances take for granted that an organisation already has strong and effective governance at the Board level, the right tone from the top and a top-tier risk framework.
Identifying the correct attitude and behaviour
To have a risk-aware culture, it is essential that an organisation’s employees feel empowered to proactively identify, evaluate, manage, monitor, and report risks. Employees must know they are an organisation’s first line of defense. This can only be possible with the full support of the organisation, including internal teams such as human resources and communications, who will assist the risk team into weaving important messaging into the organization’s DNA. If applied successfully, employees will take an “ownership” mentality to risk.
Using the right language
The risk team should use non-technical, conversational language in their messaging to speak to a broad group of stakeholders with a variety of specialties and backgrounds. As a general rule, all audiences prefer reports that are void of technical jargon and offer an accessible layout, such as a clear executive summary that directs them to the most pressing risks and their potential impact to the organisation.
An ERM framework with double-duty
Moving past traditional areas of risk management, an ERM framework provides a structure for identifying, evaluating, managing, monitoring and reporting all risks. However, this same framework can be effectively used in a secondary capacity: to designate roles and responsibilities; establish effective escalation; identify the stakeholders that should be involved; and improve on incident and crisis responses, and organisational resilience.
This type of framework will improve communication, helping an organisation to be more aware and proactive, so that it can prepare, test, and in some cases mitigate or capitalise on risk, for a desired outcome—turning risk into opportunity.
Enhanced Communications
To ensure risk communication is present throughout the employee lifecycle, it must begin at the onboarding process, in the first official communications to employees. Management should then build on those messages, walking the talk, by sharing insight on high-level risks with employees on a regular basis. They should take both a general approach, including the use of tools such as internal news (intranet) and employee-wide learning sessions—as well as a tactical one, such as positioning risk team members at cross-functional committees and on strategic initiatives, and working with the communications team on focused internal communications plans. Thus, they will effectively break down siloes between groups, so that information can flow freely.
An organisation that does not use a trust-based approach risks missing out on an increasingly critical defense in safeguarding their organisation from potential threats, and being perceived as incapable of effectively managing and resolving issues.
Organisations may wish to go so far as to share certain board presentations with employees, for maximum transparency. Maintaining a high level of transparency can lead to strong support throughout the organisation, empowering and incentivising employees to fulfill their roles as the first line of defense.
A clear formula
Risk culture must be based on trust so that employees feel free to speak candidly, with clear lines of escalation. An organisation that does not use this trust-based approach risks missing out on an increasingly critical defense in safeguarding their organisation from potential threats, and being perceived as incapable of effectively managing and resolving issues.
In summary, a risk culture requires three things:
- Empowerment. When communicating with Senior Management, it is imperative that employees feel empowered to provide the key information that leaders need to know.
- A fundamental understanding of risk. Organisations must work to continually educate and expose all stakeholders to risk awareness. All stakeholders must have a unified definition of risk for effective risk identification and mitigation.
- An end to siloes. The risk group must partner with teams across the organization and embed responsibility for risk management into the organizational DNA, empowering its employees to take on an active role in risk mitigation as part of their core responsibilities. Risk management fails when it solely lives in the risk management group.
