Upgrade to receive CPD certificate + full access

Learn More
UPGRADE
RISK AWARENESS WEEK 2024 RISK AWARENESS WEEK 2024

Building and Nurturing a Positive Risk Culture: A Practical Guide


Every successful organization understands the importance of managing risk. But beyond managing risks, it is crucial to build and nurture a positive risk culture. A positive risk culture means everyone in the organization understands the importance of risk management and actively participates in it.

In September 2023, StrategicRISK invited three fabulous speakers, all of whom have extensive experience establishing risk culture. The panel consisted of Tom Hughes, head of risk and financial crime at Simply Health; Claire Hopper, sales engineer at Risk Connect; and Alex Sidorenko, group head of risk, insurance, and internal audit at Sierra Verde. Together, they’ve talked about positive risk cultures and how to embed them in organizations. In this guide, we’ll discuss how to create such a culture in your workplace.

What Does a Positive Risk Culture Look Like?

To me, a positive risk culture is when people within the organization reach out to the risk management team to perform risk analysis before making an important decision or do the risk analysis themselves and use proper risk analysis techniques—no heatmaps or other horoscopes.

Most of the risk manager’s time is usually spent chasing departments and executives trying to convince them to stress test their assumptions, framing the decisions, finding better alternatives, and performing quantitative risk analysis to compare the alternatives. Organizations that do that organically and consistently are very risk culture mature. Mature organizations encourage transparent risk discussion and risk-taking, risks are balanced against the rewards and clearly documented.

Actionable Steps Toward a Positive Risk Culture in Your Organization

If you want meaningful changes for your organization do the following:

  • Embed risk-based thinking into existing leadership charters, policies, standards, and job descriptions.
  • Integrate risk-based thinking into existing protocols for investment, capital decisions, long-term contracts, or other significant technical or financial decisions.
  • Encourage decision-makers to consider and disclose risk information during regular management and Board meetings.
  • Adopt a risk-based approach that focuses resources on areas of highest risk to the organization during planning and budgeting.
  • Incorporate risk adjustment into the performance metrics of key leaders and managers, and exclude KPIs that encourage risk ignorance or excessive risk-taking.
  • Build relationships and align methodologies with other back office departments, such as financial control, IT, safety, environment, or others.
  • Participate in relevant major performance improvement work.

Improve Culture By Making Risk Management Inevitable

In my experience, risk management is not taken seriously, no matter the tone at the top, unless risk management becomes inevitable and unavoidable. This means whenever a decision or significant topic is presented to a Board or an executive committee, it has to be supplemented with proper quantitative risk analysis.

I usually start with Board decisions and then blend risk management into everything important an organization does, budgeting, procurement, investment decisions, project management, external presentations, and so on. Effective decision-making in a positive risk culture organization involves considering multiple alternative risk-weighted options, not just a single path for approval.

Making risk management inevitable comes with a challenge, because as soon as you create a requirement to perform the risk analysis to support each important decision someone has to do it and do it mathematically sound. This means either teaching business to do it (not an easy task let me tell you) or doing risk analysis yourself (easy but quickly becomes overwhelming given the quantity of decisions).

So, I usually prioritize and start one decision at a time. Don’t underestimate the challenge either, it may well take a full year to understand the intricacies of a process like vendor accreditation, selection, procurement, and performance management to figure out how not one but three separate risk methodologies are required to support the decisions.

This would not be possible without building strong relationships with risk owners and finding what motivates them to account for risk. Again, this is not a simple task, risk owners prefer to ignore risks unless you find a tangible way to make it worth their while to disclose and be transparent about risks.

Actionable Steps Toward Making Risk Management a Focal Point in Your Organization

To make risk management inevitable, you can follow these steps:

  • Develop a communication strategy that encourages openness and honesty about risks.
  • Integrate risk-based thinking into existing communication and reporting processes. Develop formats for including risk information in management reporting and performance evaluation of business units.
  • Discuss culture and attitude to risk with senior management and the Board, as well as help communicate Board and senior management expectations to the employees.
  • Share the risk manager’s contact information with employees or provide a confidential hotline for communicating risks through the internal company website or via the phone.
  • Provide a Q&A section and frequently asked questions about risk management and insurance.

Challenges That Come with Building a Positive Risk Culture

Risk culture is a very basic concept on the one hand and very difficult to implement on the other. It’s 2024 at the time of writing, and I don’t think there is any mystery left about how to influence and improve risk culture.

The action points in this article and in RISK-ACADEMY’s action plan are pretty universal and effective. So we know what needs to be done. In fact, I challenge anyone in the risk profession to come up with additional actions not mentioned in the article to improve risk culture further. Yet, implementing these actions is always a huge challenge. Personal biases, hidden motivations, and corporate turf wars make it very difficult for people to be transparent and honest about the risks they take.

So, in my experience, risk culture is not a single thing, it’s millions small drops in the human brains, constant reinforcement and reminders. You never know what will work best, so it’s all about A/B testing, constant trial and error.

How to Overcome the Challenges of Building and Nurturing a Positive Risk Culture

  • Integrate risk management training into existing professional development programs.
  • Develop risk management competencies in all core business units and make them an important attribute when hiring new personnel to the organization.
  • Hold sessions with invited speakers and risk managers from other companies. Integrate risk management training into existing professional development programs.
  • Develop risk management competencies in all core business units and make them an important attribute when hiring new personnel to the organization.
  • Hold sessions with invited speakers, and risk managers from other companies.
  • Sign up for RAW2024 as soon as possible.

Getting the Buy-In from Top Management

The good news is that to overcome the challenges, we don’t need to convert all executives into risk-based decision-makers, at least not initially. Starting with just one executive and one business process or decision is all we need. And there is always someone who appreciates risk-based thinking as much as we do. You just need to find that person.

So, start by meeting everyone and talking to them about their attitude to risk-taking, their experience with risk management and quantitative risk analysis. Soon enough, you will find your audience. Sometimes it may not be the executive but someone in their teams. I personally found most success with directors and GMs, one level below CXOs.

But you know what really helps with buy-ins? It’s saving the company a lot of money. There are plenty of risks where the savings are on the surface: reduce the cost of insurance through better quantitative risk analysis, reduce bad debts through better credit risk management, reduce maintenance budget or CAPEX through better risk analysis, and so on. Once you save your first million, selling risk culture becomes a much easier task. We saved $13M in one year—you can ask me how in the comments.

Actionable Steps Toward Convincing Top Management to Assess the Organization’s Risk Culture

  • Provide an additional opportunity for staff to provide anonymous feedback on behavior and risk culture in their area.
  • Use existing governance mechanisms that offer reinforcement of improvement via issue and action logging, monitoring and progress reporting, as necessary.
  • Monitor the implementation of improvement actions and consider the capability-building required for risk culture audits.
  • Use existing communication channels in the company for sharing success stories and exchanging experiences.

What about Low Risk Maturity?

Risk culture is a problem that I feel we have solved long ago. I personally would not waste my time on risk culture assessments, the end result and the actions we need to take are already clear and will not change regardless of the risk maturity.

I provided the actions in this article so you may go ahead and start implementing them. It may take some organizations longer, and some actions will be dropped as not applicable, but overall, the approach for immature risk organizations is exactly the same for any other organization on the planet. The checklist and actions provided in this article are equally applicable to any size, industry, or country.

How Do You Measure the Effectiveness of Risk Management?

Here is a simple test to determine if the risk culture within your organization is mature and the organization’s risk management is effective:

Open a few past Board decisions, including the memos and presentations that were used to support those decisions. If these supporting documents do not contain proper quantitative risk analysis to support the alternatives presented, risk management has failed. Everything else is RM1.

What’s Your Biggest Recommendation to Risk Managers?

Upgrade your own skills first before trying to influence the company toward a better risk culture. If you don’t understand expected and unexpected losses, why expected shortfall should be used instead of VaR for most risks, what science tells us about using heatmaps, how humans make decisions under uncertainty, or what role sugar plays in this, you have zero chance to selling RM2 to executives. Influencing the culture towards better RM1 is just a waste of time.

At the end of the day, if the risk culture is not shifting regardless of the tasks you are making, choose the organizations you work for. Sometimes the culture is so toxic that staying is just bad personal risk management.

Elevate your risk management skills and make better decisions with actionable, simple case studies on AI application. Whether you’re new to risk management or a seasoned professional, RAW2024 is designed just for you. From drafting a risk policy in Gemini to running complex Monte Carlo simulations in ChatGPT, our fully online conference is accessible on any device, from any location, at any time. Secure your spot at RAW2024 today!

And to learn more about fostering a positive risk culture in your organization, make sure to watch StrategicRISK’s video on the matter.

Talk to our AI risk management advisor 👋 🕵🏽‍