Building an effective risk culture is all about creating an environment that encourages conversation, and in which people understand the risk environment in which they operate. This means understanding the need to reduce downside risks, while also taking opportunity risks as they arise in order to drive the business forward through innovation.
Here, I’ve distilled three top tips for creating an effective risk culture, taken from a private meeting with a number of our network’s risk leaders (the full write up of which can be found by members in the Intelligence platform).
1. Keep it simple
When first defining your risk culture, it is important to keep things simple. Risk culture is essentially about looking at the risk outcomes that determine the direction of the organisation, and then identifying the behaviours that can lead to favourable outcomes.
These can then be turned into risk culture statements that can be communicated to the organisation so that everyone knows the desirable behaviours that are needed to drive the business forward.
The important thing to remember is that these statements need to be short and simple so that people can understand them quickly, and they also need to capture the idea that risk management is not only about reducing risk, but is also about taking measured risks to drive innovation and seize opportunities.
2. Make the conversations open
To ensure effective take-up of a new risk culture, you need to make sure that everyone is onboard, and that people are open to conversations no matter where they sit in the organisational structure.
In order for risk culture, and risk management in general, to be effective, people need to feel safe in speaking up if something goes wrong.
Individuals should not be afraid of raising awareness of a red flag or telling a superior when something has gone wrong. Likewise, senior leaders need to be made aware that a red flag on a dashboard is not a bad thing, but is simply a way of illustrating that actions need to be taken, and that such actions can often be a simple fix that does not require a vast amount of resources.
This can only be achieved by breaking down the barriers to conversations, so that even difficult conversations can take place in a calm and considered manner.
In order to achieve this, communications around risk need to be tailored to the audience they are speaking to, with language often simplified when speaking to a non-risk audience.
3. Remember to be inclusive
Any type of culture is only successful if it is lived by everyone in an organisation, and risk culture is no different.
By bringing other business functions into the risk culture process, you can help ensure that the message is distilled across an organisation and becomes embedded in the overall cultural values of the business.
Audit functions, for example, can be used to perform behavioural audits that look at the people risks that have led to control failures or breaches of protocols.
It is important, however, to remember that people are the product of the environments in which they operate, so the wider environment also needs to be put under scrutiny when investigating the reason for any failures.
Through these behaviour-focused audit reports, you can then start influencing people and their environments, and make them more aware of how their behaviour influences the controls that are in place and the subsequent risk outcomes.
Click here to find out more about our upcoming member meetings.