It seems like I am seeing more and more discussions in the press and blogs about “Risk Culture” and how important it is to have a “Strong” one. This is particularly common whenever there is a high profile negative risk event reported in the press and, unfortunately, there continue to be a lot of those. This activity has also spurred several consulting companies to launch interesting surveys designed to measure the strength of organizations’ risk culture. With all of this talk of risk culture and my predisposition to thinking that culture has something to do with Sociology, I can’t resist delving deeper.
Let’s break apart the term Risk Culture. ISO 31000 defines risk as the “effect of uncertainty on objectives.” Merriam Webster defines culture as “the set of shared attitudes, values, goals, and practices that characterizes an institution or organization” and “…consists of language, ideas, beliefs, customs, taboos, codes, institutions, tools, techniques, works of art, rituals, ceremonies, and symbols”. The conjunction of these two definitions alone do not completely define the way in which the term “Risk Culture” is being used and most certainly do not inform us about what might be considered a “strong” or “weak” risk culture. What is really meant by an organization having a strong risk culture is a culture not only geared toward minimizing the “effect of uncertainty on objectives” but objectives that are in some manner virtuous – such as complying with legal directives, moral codes of conduct, or producing a sufficient principled return for shareholders. So, having a strong risk culture in this sense is a good thing to have!
In practical terms, here are some areas to consider when evaluating and strengthening your risk culture:
- The scope of culture is not only internal to your organization but includes third parties acting on behalf of your organization
- Attitudes, values (including code of conduct), goals, and practices need to be aligned across the organization, including aligning individual employee incentives to desired attitude, value, goal, and practice
- Attitudes, values, goals, and practices cannot be shared if they are not communicated on a regular basis throughout the organization, from the board of directors to every employee of the organization. There are two aspects of this communication: sharing the organization’s objectives and sharing the organization’s risk management practices
- The language of risk (risk taxonomy), how the organization views risk (it’s appetites and tolerances), and the techniques of how to assess, decision, and monitor risk should be clear to everyone in the organization that interacts with risk
- Risk taboos should also be clear and enforced at all levels of the organization, without exception. Taboos are as simple as each manager abiding by and reinforcing with their direct reports the day to day use of agreed-upon risk management practices or as difficult as terminating employees that breach risk-related protocols or limits. This is tone at the top in practice
- Tools used to identify, assess, decision, treat, and monitor risk should reinforce risk culture in every respect including risk language, risk practice, and identification and response to taboo risk events
- Employees should be recognized for risk well managed. Again, this may be as simple as the boss giving an employee a pat on the back, recognizing an employee among peers, or financial rewards for demonstrating strong risk management.
