How Risk-Aware is Your Organization’s Culture?

Risks are inevitable and not always insurable. Every organization, private and public, faces risks in some capacity, and all organizations need to take risks to achieve their objectives. 

A risk-aware culture can significantly affect the capability to take strategic risk decisions and deliver on performance promises. Historically a risk-aware culture was seen as a segregated mode. Still, in the last few years, there has been more integration of a risk-aware culture with one language and a better-shared understanding. Most organizations make risk awareness part of their internal culture by putting risk management front and center for all employees, not just with “risk” in their title.

By Peggy Mendezcuria | Chartered Managers Canada

When an organization’s culture is risk-aware, people know their risks, are comfortable discussing them with others, and are willing to help others resolve them.

Although there is no single way to measure risk culture, building a risk-aware culture within an organization can be the first step in managing risks.  There are no structured guidelines, but various tools and approaches can be valuable in supporting a risk culture. Every organization is vulnerable to risks; however, starting with a proactive approach will lead to critical opportunities to meet strategic objectives better, enable and drive growth, improve reputation management and confidence in decision-making, and face fewer surprises.

Risks within organizations continue to grow in number and complexity, and identifying and managing various exposures take an all-hands-on-deck mentality.  In a risk-aware corporate culture, risk management is part of every critical decision by every stakeholder. 

What is a Risk-Aware Culture?  

Different organizations may describe a risk-aware culture differently; however, a risk-aware culture is what weaves the business of managing risk into the everyday routines of all employees. In addition, it is based on values, beliefs, knowledge and understanding of risk shared by a group of people with a common purpose, particularly by the employees, teams, or groups within any organization. It is not about what you do; it is about how you do it and what you think when you do it.  With more eyes and ears on the lookout for emerging risks, a company is much less likely to be blindsided by an undetected vulnerability, and that’s a significant competitive advantage for any organization.

Here are some steps to start a risk-aware culture:

Start at The Top:

Executive and board levels are core functions of the organization, and communicating risk to the organization should be consistent and shared by leadership to engage employees.  Getting top-level buy-in is essential.  Management, the executive level, and the board must understand that developing or strengthening a risk-aware culture is a necessary function.  Leading by example is powerful, and if senior leaders of an organization are visibly making a risk-conscious decision, others will naturally follow and operate risk-mindedly.

Provide Education:

Organizations must provide essential knowledge to their employees, making it easy for them to understand. It is always advisable to use terms that make sense to everyone and work with the business to understand why risk is significant and how to mitigate it. In this way, employees can participate in managing and mitigating risk threats.  Also, educating employees on the benefits of risk management, providing information on spotting potential issues, and determining what can be done to mitigate threats, can go a long way.  If the process is long or complex, adoption will be low.

Creating a risk-aware culture of understanding risk will make it much easier for stakeholders to see that reducing risk is in everyone’s best interest, not just a select few of an organization.

Dismantle Silos:

Viewing risk from an enterprise-wide perspective is significant, with open lines of communication within multiple departments within the organization.  Risks and threats do not just affect one department; they can affect the entire organization.  Establishing a risk committee that includes stakeholders is essential to building a risk-aware culture.

Technology can help by centralizing risk information, standardizing data and showing the relationships between threats.  It can establish a common risk language and facilitate productive conversations to identify and address all vulnerabilities.

Assign Responsibilities and Establish Incentives:

The risk committee should identify the individual who is most closely connected to each risk and hold that person accountable for its management.  In this way, there are lesser chances that something will fail.

Implementing incentives into performance plans gets people regularly thinking about risk and what they can do to help correct issues within their control in creating a risk-aware culture.  It should be embedded as one of every employee performance management goals.  Everyone needs to know that their roles support a strong risk culture.  Nothing will get more attention if a manager knows they must make improvements in a specific risk-related budget item or bonuses may be impacted.   

Update Technology:

A risk-aware culture can be challenging to measure.  According to the late Professor Peter Drucker, “If it can’t be measured, it can’t be managed.”  Technology can gather all risk-related data from claims, internal audits, safety and third parties into one location. This measures transparency and elevates visibility or risk, promoting a risk-award culture across the organization.

Risk scorecards, for example, can show how each business unit, department, or location performs against critical risk and safety goals. With all the data collected, leaders can review progress and recommend follow-up actions to improve performance.

Risks can never be eliminated, but they can be managed effectively.  Challenges will always need to be worked on within an organization.

Developing a risk awareness and a robust risk-aware culture will take time and is a process that relies on continued commitment and continuous improvement. It will take time to educate people about risk, spark dialogue around possible actions and instill a belief that everyone has the power to make a difference. The most challenging aspect of building a thriving risk-aware culture is to garner buy-in from the majority, if not all, members of the organization.

In conclusion, a robust risk-aware culture matters because, ultimately, people are what makes effective risk management possible. A risk-aware culture promotes a shared understanding of risk and supports the organization’s strategy, business model, operational practices, and competitive advantages. Once the foundations are in place and managing risk becomes part of the organization’s DNA, the ongoing strength of operations and ability to achieve objectives will be invaluable assets for future sustainability and growth.

Peggy's career spans over 20 years within the insurance industry, in various roles, including, learning and development, operations management and industry engagements. Peggy is an Insurance Claims Manager at the largest adjusting company in Canada. She is also a part-time professor, and instructor, teaching CIP and insurance management courses. In her spare time, she is also an author of children’s books.