7 Key Steps to Implementing a Risk Culture
In any organization, risks are taken on a daily basis. No one could hope to be profitable without them. However, if risk-taking becomes too
extreme, it could lead to customer distrust, employee activities that go against stated values, or even the end of operations. Risk-taking doesn’t
necessarily lead to financial or reputational damage, but it still has the potential to negatively impact goal achievement. On the other hand, a risk
culture that is too strict can take away any potential benefits of risk-taking, such as significant growth. Organizations must strike a balance by
defining and implementing a strong risk culture: 86% of business leaders say that culture has a major impact on success.
Culture is one of the most difficult aspects of an organization to change, as it is so deeply rooted in day-to-day activities and can be hard to
identify. However, risk teams can begin by considering the following steps:
1. Evaluate the Current Culture
Before implementing a risk culture, the risk team must evaluate the current culture. Even if there’s no formal culture, many employees may have
the same risk attitudes and preferences. Some areas may already be strong, while others may present vulnerabilities that need to be fixed.
Determine the impact the current culture has on the activities and accomplishments of the organization. What are its strengths and weaknesses?
Does it make sense based on the industry and organizational goals?
Different types of organizations require a particular level of risk appetite. A start-up business, for example, will have a much higher tolerance than
an established accounting firm. Depending on size and strategic goals, the risk team may have to shape the culture to complement the
environment and accomplish objectives.
2. Plan a Cultural Change
Once there is an idea of the current culture and where it is lacking, the risk team can work on improving it. Perhaps employees need stricter
guidelines, or new tools and processes can be implemented. The organization may also consider using new measures and indicators to track the
success of risk management initiatives.
Culture change is a significant shift and it needs to be treated seriously. Create a plan with benchmarks and deadlines to measure success.
Culture changes often take place through team activities, training, and increased emphasis on key values. Once the change has been
successfully implemented, the team must continue to monitor the risk culture and make any changes as needed.
3. Gain Top Management Support
No significant change can take place without the support of top management. It is up to the risk team to present the need for a culture shift to
executives by demonstrating how it will benefit strategic goals and creating urgency for change.
4. Set Expectations
An organization with a strong risk culture will have a stance on strategic goals, risk appetite and tolerance, and key values. All employees should
understand and be motivated to comply with these guidelines; in some organizations, it may be best if the majority of workers hold similar
attitudes regarding risks and ethics. However, it is important that there is at least some level of diversity among perspectives to prevent the
organization from becoming stagnant or distanced from the current environment.
The new culture should be formally documented and embodied in the day-to-day actions of the organization. Managers should give both new
and experienced employees values and expectations to follow.
5. Prioritize Risk Management
In order to create a strong risk culture, executives and board members must place risk management as a high priority. Risk management is no
longer treated as an individual department, but an aspect of every activity. Top management can support this by setting an example of ideal
behaviour, proving that a risk culture is vital for the success of the organization, and motivating employees to take action.
Further, incentivize employees to embody the new risk culture: reward appropriate risk-taking and link performance to smart risk-taking. In some
organizations, such as P&G, the employee or team that had the biggest failure and insight are recognized by awards. Employees who are either
too risk-averse or too reckless should be educated on their mistakes and taught to work in a way more appropriate to the risk culture.
6. Provide Training and Development
Risk management must move beyond simple awareness to active and proactive behaviour. All employees should, through training, understand
the importance and value of managing risks so they can act appropriately in their day-to-day work. Base decision-making on data and a
consideration of potential risks. Ethical training is also a big part of many risk management programs. Above all, employees must commit to
continuous learning and adaptation as the risk environment is constantly changing and evolving.
Employees in every department, from marketing to accounting to operations, must begin applying risk management techniques. These skills can
no longer be isolated in a single department. For true effectiveness, universally adopt and apply them across the entire organization.
7. Develop Communication
Communication is key for any strong culture. Share information transparently and honestly, with employees of all levels comfortable taking
responsibility for their actions. Management should encourage the reporting of mistakes, sharing of negative information, and whistle-blowing so
undesirable behaviour can be detected and resolved before it becomes a larger issue.
The development of an excellent risk culture is only one step in an organization’s process of effectively managing risk. By doing so, the risk team
is ensuring that all employees are on the same page and will grow the organization safely.