Does the term ‘risk culture’ mean anything to the stakeholders or leadership teams that you work with?
We asked a community of risk managers this very question in a series of interviews last week.
Their general response was that ‘risk culture’ is yet another buzz phrase.
They argued that if you broke down the components of what risk culture is; and assessed what your aims really are, then in fact, what you’re trying to do is improve your risk maturity and decision-making process.
In their experience, HR directors and other stakeholders pushed back each time they tried to implement processes to improve their company’s risk culture.
Progress was slow. So, they stopped talking about risk culture entirely.
Instead they adapted their approach. They moved their starting point away from HR directors and leadership teams and applied these four alternative methods:
Four new ways of approaching risk culture
- Stop trying to engage HR: in the short-term, trying to get support from HR will seem like a futile pursuit. There will be pushback and political boundaries. Find a new starting point. Look for the “low hanging fruit”.
- Start with middle managers instead: these are the professionals who will – directly – implement and execute projects. For this reason, there will be more straightforward opportunities to influence and enhance risk-related decision-making.
- Stop talking about risk: fact is, ‘risk (management)’ means very little to anyone outside of the risk management department. What stakeholders and senior management are most concerned with is performance. So, drop the word ‘risk’ in favour of ‘performance’: ‘performance culture’; ‘performance management’.
- Don’t look at risk culture as a ‘risk culture’ exercise: instead, look at it more broadly as an exercise to improve your risk maturity.
You may not agree with all of these points. They are an alternative to some of the methods that we outlined in an earlier post.
Undoubtedly, there will be many other ways to enhance your risk culture. We’d love to hear from you if you have a different viewpoint or approach. Get involved in the debate by contacting kin.ly@riskleadershipnetwork.com.
However, if you want convincing, we’ve outlined the risk managers’ full arguments below.
1. Stop talking to HR managers – for now. There might be a more effective starting point
Culture, mission values, and change management initiatives are owned by leadership teams and HR departments. So, when you talk to them about launching any form of culture project – be it risk, sales, or people – more likely than not, you will be met with concern and challenge.
Risk culture is hard to influence – so work on this very basis and find a new starting point.
Instead of going after HR in the first instance, work with the layer of business in which you have greater influence over employees’ behaviours and attitudes.
This doesn’t mean abandoning HR entirely. It means starting your risk culture journey from a different perspective.
2. Make greater inroads by investing your time on middle managers
You may not need to place all your efforts on engaging executive management or the board.
There is, indeed, a compelling argument for why this is important:
- Board members and executive managers are the ultimate decision-makers, so getting their buy-in will escalate the importance of risk management.
- Board members are typically tasked with risk oversight. This means they have an obligation to carry out due diligence. And doing this well will require a good understanding of the company’s risks and its mitigation and prevention strategies.
- Tone from the top around risk management sets the precedence for the entire company.
These are areas that risk managers can shape and develop.
But engagement with the leadership team remains a perennial challenge. In fact, boards only spend 9% of their time on risks, according to Mckinsey.
Changing their attitudes and perceptions is a long-term battle. And one that must be embraced. But quick – and effective – wins can be found elsewhere.
The leadership team doesn't execute projects, middle managers do. They make decisions every day on how best to deliver the agreed outcomes – from sourcing third-party suppliers to scoping out decision documents. They encounter risks on a regular basis – and decide on how to respond.
Your impact will be greatly felt in these areas. And there are more opportunities here for collaboration: for you to shape and influence day-to-day decision-making; to embed risk-intelligent mindsets and improve your company’s risk maturity (and culture).
3. Stop talking about risk management. Start talking about performance management
The truth is, ‘risk’ and ‘risk management’ don’t mean much to your stakeholders or leadership team.
They are words that are embroiled in misconception.
You’ve likely been in one or more of the following scenarios and misunderstood to be a:
- Naysayer who prevents and blocks progress and innovation
- Manager focused only on the negative parts of business (i.e. downside risks)
- Very technical person, who talks an indecipherable and unrelatable language full of ‘risk appetite’, ‘risk tolerance’, ‘risk maps’, ‘intangible risks’, ‘risk culture’, ‘downside and upside risks’ (what does it all mean?)
We know that points one and two are mostly, if not completely, untrue. The problem generally lies in point three.
It is difficult to build resonance, engage stakeholders, and positively influence behaviours and decision-making processes – if you use jargon that few understand.
This is why our community of risk managers recommend ditching the word ‘risk’ – or at least reducing its use.
One risk manager recommended this exercise: break down what you’re trying to do and re-explain in layman’s terms or by using your company’s corporate language.
Only use the word ‘risk’ if it is absolutely necessary.
If you consider that risk culture is about organisational values and behaviours that shape risk decisions; then you may have more effective ‘risk culture’ conversations if you talk about ‘an approach’.
And if risk management is about effective decision-making, then we’re also talking about ‘performance’ management.
In other words, at project and departmental level, look at what ‘approach’ is being used and how decisions are being made: how do teams decide on their suppliers, what equipment to invest in, how to prioritise budgets, and deploy staff? What are the risks and uncertainties around these decisions, and how can I help these teams eliminate or reduce them?
4. Should risk culture be treated as a risk maturity or ERM exercise?
This leads us on to our last point – what exactly is risk culture?
Let’s round-up on the arguments we’ve sourced from our risk community – that risk culture is about improving:
- Behaviours and attitudes towards risk
- How employees consider risk in their decision-making process
If we accept these arguments, we could perhaps conclude that ‘risk culture’ is about improving your risk maturity overall. So why look at ‘risk culture’ as a ‘risk culture’ exercise?
Do you agree?
If you have an alternative view, we’d love to hear from you! Take part in the debate and get in touch: kin.ly@riskleadershipnetwork.com.