Key steps to developing a healthy risk culture

What is a risk culture?

Risk culture refers to the beliefs, knowledge, values and processes regarding risk within an organization. This collective outlook shapes how the organization manages risk, including how it identifies, assesses, communicates and responds to the myriad risks that it faces.

"Risk culture encapsulates the norms of the organization and the way it does things. And it could be good or bad," said Guy Pearce, an IT and data consultant serving as a member of the Emerging Trends Working Group at professional governance association ISACA. "It's the way an organization behaves. It's how they manage uncertainty to make sure they meet their objectives."

In an organization with a strong risk culture, executives do the following:

• Actively manage risk.
• Share information about the organization's risk appetite and risk tolerance with stakeholders.
• Communicate their approach to risk with employees throughout the organization.
• Expect workers to take responsibility for risk as part of their jobs.

Additionally, organizations that have a strong risk culture are transparent about the risks they face and how they manage them. "There's a shared vision of an outcome," Pearce explained. A strong risk culture thus starts with a high-level commitment to having a robust risk management strategy and integrating risk management into the organization's corporate governance structure.

"It definitely takes someone at the top who values the importance of knowing the risks, classifying risks and tackling risks," agreed Sarah Lynn, a partner at assurance and advisory firm BPM. She added that a strong risk culture integrates risk management into the organization's corporate governance structure, noting that regulated and publicly traded companies -- both of which must report on risk -- generally have strong risk cultures.

On the other hand, organizations with weak risk cultures lack a strategic approach to risk. These organizations tend to manage risk in a siloed manner, such as division by division or department by department. In some cases, leaders at these organizations might even ignore, conceal or downplay risks to their stakeholders. Such top-level behaviors then set the norm for the rest of the workforce. "If you set the wrong example at the top, then it will follow that the bad tone will exist throughout the organization," Pearce said.

Characteristics of a strong risk culture in an organization

The characteristics of a strong risk culture include the following:

• Having a robust risk management strategy that includes a risk register.
• Actively managing risks, rather than treating risk management as merely a compliance or check-the-box exercise.
• Managing risks at the top level of the organization, with executives establishing the risk appetite and risk tolerance for the organization to guide departments as they make more granular risk management plans for their activities. These organizations have "leadership that frequently discusses risk in a positive way and encourages everyone to be risk managers," said Caitlin Holmes, senior managing director at FTI Consulting.
• Having an enterprise approach to risk management, rather than seeing it as a siloed activity.
• Integrating risk management into the organization's operations and activities.
• Having employees throughout the company who know the risks the organization faces, how those risks can affect the organization and can manage those risks in ways commensurate with their positions.
• Having employees who are empowered to protect the organization against identified risks and alert the organization to new or changing risks. "A strong risk culture will also have a well-defined escalation mechanism or path for employees to raise and identify risks," Holmes said.
• Having leadership that recognizes and rewards departments, managers and employees for behaviors that align with the organization's risk-related positions, policies and procedures.

5 steps to improve the risk culture of your business

According to risk professionals, many organizations could do more to align employees with the enterprise risk strategy and empower them to take appropriate actions. Here are five actions for improving your risk culture:

1. Establish and continuously review the organization's risk management strategy. This work should include determining the organization's risk appetite and risk tolerance, identifying risks, implementing controls and tackling other key components of a strong risk management function.
2. Integrate risk into strategic planning and operations. To build a good risk culture, risk management must be part of the organization's everyday work.
3. Have executives take the lead. The executive team must set an example for how it wants others in the organization to manage risks. "If the CEO, the C-suite, the board of directors and key stakeholders do not value identifying and managing risks, then the rest of the company will do the same," Lynn said.
4. Communicate the organization's risk management strategy and train employees on what actions to take. Employees need to know about the risks the organization faces and the planned responses so they know how to act when they encounter those risks. "[Senior management] needs to consider the current culture and identify what aspects need to change and bake that into their messaging," Holmes said. From there, assess the risk management knowledge throughout the organization and provide high-level risk training to all employees. This training should include basic risk management concepts and an overview of the process for escalating risks when encountered.
5. Recognize and reward employee behavior that aligns with the organization's risk policies. This empowers workers to take the desired action and helps build a strong risk culture. "You want people outside of the risk function to embrace, identify and work with the risk function to address risk," Holmes said.

What's the difference between risk culture and risk awareness?

Risk awareness and risk culture are not synonymous terms.

Risk awareness is typically defined as an individual's understanding of the potential threats facing the organization and knowledge of the organization's policies for handling those threats. As such, it measures whether and how well individuals are educated on the topic.

Risk culture, as explained, speaks to whether employees individually and collectively are able to effectively manage risks based on their risk awareness.

For example, a risk-aware worker might know about phishing emails but still fail to report receiving one, whereas a worker in an organization with a good risk culture will recognize the suspicious email, have a readily available channel for reporting it and do so.

"A good risk culture is one where every staff member has a responsibility to control uncertainty in the organization," Pearce said.

Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.