12 ways to improve your risk culture

What do you want your risk culture to be?

More precisely, what attitudes and behaviours do you want employees to display? And how do they link to your company’s strategy, performance and mission values?

Download now [Meeting Summary]: Building a risk maturity roadmap

In efforts to establish what we call ‘risk culture’, we are essentially trying to optimise our risk approach to support the delivery of business objectives.

As risk managers, we broadly share the same aims. We want risk management to:

• be embedded within the fabric of our businesses
• positively influence decisions at all levels
• focus on opportunities and upside risk (not just the downside)
• support performance and the strategic direction of the business
• support a culture that embraces all of the above.

But getting there is a long-term battle. Essentially, it requires good relationships – buy-in from the board and leadership right down to the operational functions.

There is no one-size-fits-all approach. But we can share lessons and adapt them to our businesses.

And in that vein, here are 12 steps that have worked for me in terms of strengthening relationships and risk culture (or, as I would rather call it, the ‘risk approach’).

1. Establish your board’s expectations

This is where it all starts. The board must decide and clearly communicate their expectations. They must spell out their attitude towards intelligent risk-taking and how this differs between target metrics.

Here’s an example of how this could be expressed:

At X company, we consciously take risks based on explicit values and aspirations:

• Health and safety and product safety are based on a zero-tolerance philosophy.
• Business risks are taken based on explicit and documented considerations.
• The environment is important. We will not take risks which could result in long-term damage to the environment. Should incidents occur, we will ‘clean-up’ and restore.

2. Structure and refine your process for reporting to the board

I see three types of risk reporting to the board:

• What is the likelihood that we will meet our strategic aspirations – and the key factors supporting or inhibiting us?
• What is the likelihood that we will meet this in, for example, next year’s budget target – and the key factors supporting or inhibiting us?
• Exception based reporting. This should look something like this: X has happened or may happen. We propose and seek approval to address this by X timeframe. This is particularly relevant for external risks like the Covid-19 ‘coronavirus’, Brexit or trade wars.

In addition, the board and leadership would benefit from discussing the effectiveness and ‘health’ of their risk management programme. Questions to consider include:

• Is our current approach to risk management adequate? Is it optimal?
• What, if any, changes should we make to strengthen our risk management?

3. Integrate risk management into decision-making

The fact is, if risk management does not influence decisions, then it has no real value or impact. And, indeed, COSO and ISO 31000 standards explicitly state the importance of integrating risk management into decision-making.

One way of achieving this is linking risk appetite to culture. Embed your statements directly into all decision processes, including:

• Repeated operational processes: sales and operations planning, is one example of a ‘repeated operational process’. Here, risk appetite must aid decision-making in areas such as: the acceptable likelihood of not being able to meet customer orders; and what drives investments?
• Individual projects: appetite statements should aid decisions in relation to performance and targets: how do we implement our project with a satisfactory likelihood of meeting targets?

Be mindful that all decision-making processes must also harvest opportunities. Have a read of my earlier post here, 2 short cuts and 3 steps to an intelligent risk-taking culture.

4. Establish performance scorecards instead of risk scorecards

Risk scorecards and dashboards are not relevant. But performance scorecards are. Include uncertainties and the effect of risks and opportunities into your performance scorecards. And use performance indicators to measure this.

5. Position the risk team as trusted advisors

This builds on points 3 and 4: regular decisions that actively leverage the insights and methodologies of risk management will help position risk managers as trusted advisors to the business.

This isn’t an easy win. It can take a long time to stamp your mark – but the gains are high. Start by influencing middle managers – the very professionals who make day-to-day decisions.

6. Structure incentive programmes to improve your risk culture (or approach)

The optimal incentive programme should look something like this:

• Favour long-term and sustainable performance over short-term performance.
• Don’t punish failure despite prudent and documented management of foreseeable risks.
• Don’t incentivise luck. You may happen upon a ‘good result’ where there has been minimal risk management. This should not be praised.
• Favour ethical behaviour and punish unethical behaviour: clear lines must be drawn here:

• • If you fail to comply with the stated norms, cultures and guidelines, you may get fired depending on the severity of your indiscretion.
  • If you are indicted with a crime for something you did as a board member/c-suite officer/executive/leader/manager – you are immediately fired and all bonuses, benefits and the like are forfeited.

7. Make sure your values and ‘risk culture’ interact

Risks and other sub-cultures are based on the values of the company. Risk culture, for example, is a sub-culture of the company’s overall corporate culture. These values should be expressed clearly and succinctly in a few sentences. And they must be communicated and known to everyone working with or for the company, including sub-contractors and third parties.

HR often owns and drives cultural elements. There are benefits to having culture coordinated from one entity. The risk manager’s role is to propose changes if or when the risk culture can be improved to strengthen a company’s performance.

Risk managers should collaborate with HR as well as other business lines. On risk culture, risk management should work on ensuring an updated and optimised culture through HR (assuming they are ‘in charge’ of cultural elements).

8. Share mistakes and lessons

This is a good opportunity to learn and improve. I know of one company that fostered a zero tolerance philosophy on product safety.

Internally, they disclosed every single incident and most near-misses. They did so in a matter of, “this happened, which was unacceptable. We have changed X to prevent similar and parallel incidents happening again”.

This created trust and thereby commitment among employees.

9. Create a psychologically safe environment to raise risks

This leads onto my next point – create a safe environment to raise risks.

Look at what recently happened in China with the breakout of the Covid-19 ‘coronavirus’ virus. The doctor who raised the flag was silenced and threatened. Today, China faces what Xi Jinping himself admits is a major crisis.

This is a clear lesson of, ‘never shoot the messenger’. Sadly, there are many cases where this continues to happen. Take the 2008 financial crisis, as another example.

Put simply, there were four groups of risk managers:

• Those who never saw it coming (I am sad to say, this is probably the largest group).
• Those who saw it coming but were unsure and decided not to speak up (also a large group).
• Those who saw it, spoke up, and were ignored or even ridiculed. This was the case for economist, Nouriel Roubini, nicknamed Dr Doom for predicting the 2008 global financial crisis.
• Those who saw it, spoke up – and got fired.

In addition, we must foster an environment where employees feel comfortable about having difficult conversations.

By and large, this happens frequently for tactical and operational matters. It rarely happens for strategic and political issues. Raising conversations at this level is often misconstrued as a having little to no trust in the c-suite’s ability to define and deliver an optimal strategy.

And this is one of the very things that a ‘risk culture’ (or approach) must address.

10. Build engagement with leadership and stakeholders

Follow this sequence or combine some of these steps to enhance your engagement:

• Persuade and sell: explain your risk approach in terms of the benefit for the stakeholder, project owner, or leadership: “This is the value to you”.
• Provide support: pitch your risk management expertise as help and support: “Let me help you do this to prove the value it will bring you”.
• Train, show and demonstrate: use language such as, “Let me demonstrate and show how you can do it yourself and create your own successes”.
• Complement these steps with internal marketing: use language such as, “This project succeeded despite being hit by X.” Or, “We saw these risks and addressed them in a timely fashion.”

11. Be mindful of unconscious bias

Human biases are many and plentiful. It is a challenge that all risk managers must be aware of – and they must mitigate its effects. This can be done, in part, by driving for decisions to be made based on factual and quantitative insights – rather than on gut feelings.

12. Use behavioural surveys over sentiment surveys

Sentiment surveys are like election polls – biased and highly unreliable. Even the statistically best sentiment surveys are based on biased human feeling – and flawed as a metric.

Measure what people do – and you will be better off.

Read more of our content on risk culture here, or to find out more about the benefits of becoming a member of the Risk Leadership Network, click here.