How to Develop a Risk Culture at Your Organization

Risk is inseparable from the modern business landscape – and therefore, every company needs an effective risk management program to identify, assess, manage, and mitigate risk.

Robust processes, solid internal controls, and an enterprise risk management framework can help an organization identify best practices, share knowledge, and track metrics to meet these strategic objectives. But another critical element to risk management binds all those other components together: risk culture.

The Institute of Risk Management (IRM) defines risk culture as “the values, beliefs, knowledge, attitudes, and understanding of risk shared by a group of people with a common purpose.” This culture encompasses every aspect of risk, including:

• Which risks are relevant to the organization
• How these risks will be managed
• Risk appetite and risk tolerance
• How decisions about risk are made

A healthy risk culture means everyone understands the organization’s approach to risk, follows risk management policies and practices, and takes responsibility for managing risk.

Why a Strong Risk Culture Matters

A strong risk culture matters because, ultimately, people are what makes effective risk management possible. A risk-aware culture promotes a shared understanding of risk and supports the organization’s strategy, business model, operational practices, and competitive advantage.

When firms don’t foster a risk culture, they struggle to manage risk. As a result, they are vulnerable to potentially crippling consequences. They may make poor decisions that prevent the organization from achieving its operational and strategic goals. In the worst cases, those poor choices damage the company’s financial standing, compliance posture, and reputation.

A strong risk culture allows organizations to design appropriate risk management processes, mechanisms, and policies. It provides organizations with language for articulating acceptable levels of risk. Then accountability for risk management and decision-making is improved, and that ultimately drives the success of the enterprise risk management (ERM) program.

Creating a solid risk culture starts with assessing the current risk culture and evaluating the sustainability of risk management initiatives. Those things, in turn, begin with a look at your organization’s risk appetite.

What Is Risk Appetite?

Risk appetite is the amount of risk a company is prepared to take to achieve its goals before deciding what steps to take to lower that risk. Organizations assess their risk appetite to see how much financial and operational risk they are prepared to accept to innovate and achieve their goals.

The first thing to understand about risk appetite is that you decide (or more precisely, the senior management team decides) the level of risk-taking your company is willing to bear. Why? Because figuring out your risk appetite will help you determine how much risk you can handle, which helps you to distinguish risk tolerance from risk appetite.

Industry, corporate culture, rivals, nature of the goals pursued (such as how aggressive they are), financial strength, and organizational capacities are just a few of the variables that might affect risk appetite. It’s also important to remember that your risk tolerance may fluctuate over time. Therefore, it’s usually a good idea to evaluate your risk profile against risk criteria regularly – say, once or twice yearly, or perhaps even daily in particular risk situations. The frequency depends on the situation, available resources, talents, technologies, or systems.

Why Is Risk Appetite Important?

Understanding risk appetite is crucial because decision-makers must know what their risk exposure is if they want to perform effective risk analysis. For example, an organization implementing new business systems can focus on growth opportunities after determining the cyber risk appetite related to their business objectives.

Additionally, risk appetite helps the company to identify initiatives that limit potential losses and achieve higher returns. That increases the investor’s and the entity’s overall rewards.

What Is a Risk Appetite Statement?

An organization’s risk appetite is documented in a risk appetite statement, which outlines the risk-taking initiatives necessary to meet business objectives as well as the steps to take to reduce bad outcomes.

Every leader can benefit from a meaningful risk appetite statement that aligns with the organization’s goals, as a tool to support risk-aware decision-making. In addition, a public risk appetite statement strengthens your company’s commitment to mindful risk management in a risk-aware culture.

A good risk appetite statement includes plans for tackling any risks that threaten the organization’s capacity to accomplish its objectives. Here are a few fundamental ideas to keep in mind as you prepare to write your organization’s risk appetite statement.

Recruit a Diverse Workforce to Produce the Document

You’ll get a more informed and precise description of the organization’s risks when you include viewpoints from across the enterprise while writing your statement, so solicit input from a varied group of stakeholders and subject matter experts. Share examples of compelling risk appetite statements with the group, and remind them of the organization’s business objectives to get everyone up to speed on the job.

Start With a Plan

The organization’s goals and business objectives directly affect the level of risk it is willing to assume. Using those as the group’s “north star” will help the team stay on task and create a better document for evaluating risk exposure and developing the risk appetite statement.

Include a Brief Executive Summary

Every organization has an extensive collection of company documents, policies, and procedures; you want your risk appetite declaration that will actually be read, distributed, and used. Incorporate an engaging executive summary to outline the purpose of the document. Include images and graphics because those items are frequently a simpler, more powerful way to convey information.

Give Clear, Quantitative Definitions of Measurements

Metrics give teams a way to gauge risk levels. While some organizations develop their own risk scoring scales, others rely on well-known models and methods. Whatever approach you decide on should be easy enough for the reader to understand and use.

Metrics and charts also help visualize volatility and concentrations of risk, which helps for quick decision-making. For example, how many job openings can the company tolerate? How many hours of system downtime are acceptable? Concerns are quickly visible with metrics and graphs.

Remain Current

A risk appetite statement should be a “living document.” Review it at least once a year to assure that it still reflects the organization’s evolving risk appetite and current strategic objectives.

How to Assess Your Workplace Risk Culture

When evaluating your workforce’s risk culture and risk intelligence, it’s essential to assess several factors.

Risk Messaging and Communication

A strong risk culture promotes uniformity in risk messaging and a shared understanding of risk across the enterprise. Clear communication using a shared risk vocabulary improves the organization’s risk understanding, intelligence, and culture.

If this messaging is inconsistent (especially from leadership or senior management), that creates confusion among the broader workforce and weakens overall risk management.

Understanding of the Value of Risk Management

In a risk-intelligent culture, people understand risk and see the value of risk management. Moreover, they take responsibility for risk management and encourage others to do the same. They feel comfortable challenging authority figures (respectfully), and those leaders recognize that such conversations help strengthen the risk culture and respond positively.

Risk Governance Structure

The enterprise risk governance structure influences risk management and risk intelligence. This structure should include risk management policies, procedures, oversight activities, various types of risk assessments, risk indicator reports, and code of conduct and ethics programs.

Alignment of Individual Interests and Organizational Risk Strategy

When individual interests and values align with corporate values, risk appetite, tolerance, and strategic objectives, it usually indicates a risk-intelligent risk organization. A sense of common purpose, ethics, and approach among individuals and the enterprise helps to minimize risk and boost decision-making.

Regulatory Requirements and Other External Attributes

Regulatory requirements and the expectations of customers, investors, and other stakeholders can affect risk culture. If the organization aligns its risk management processes with these expectations, it can strengthen its risk culture and improve its risk resilience.

Critical Elements of a Strong Risk Culture

These key characteristics characterize strong risk culture:

• An enterprise-wide definition of risk and a risk “language”
• A common risk management framework supported by standards and controls
• Clearly-defined roles, responsibilities, and decision-making authority
• A workforce that takes individual and collective responsibility to manage risk
• A robust infrastructure to help business units meet their risk management responsibilities with full accountability
• Full transparency and visibility into risk management practices, particularly for governing bodies such as audit committees and the board of directors
• Shared functions such as IT, legal, HR, and finance help business units manage their risks in alignment with the overall enterprise risk program
• Compliance, internal audits, and risk management teams monitor the risk function and report its effectiveness and performance to the leadership, the Board, and other governing bodies
• Learning is encouraged to manage risks more effectively and avoid repeating mistakes
• Decision-making is guided by both organizational strategy and ethics

5 Strategies to Improve Risk Culture

A healthy risk culture strengthens risk management and improves risk-related decision-making. Building that effort, however, requires time and patience. Fortunately, an organization can create the desired risk culture if it follows these five strategies.

Start From the Top Down

Risk culture depends on the support and involvement of executive leadership. C-suites and corporate boards must be convinced of the value of good risk culture, prioritize it, and communicate its value across the workforce. They must build a consensus about the type of culture they want, why they want it, and how it can be enhanced.

Above all, leadership must lead by example and demonstrate desired risk-related behaviors and business decisions.

Employee Risk Awareness Training

To improve risk awareness, leadership should communicate using a common risk management vocabulary. Risk management roles, responsibilities, and accountability structures should be set up and shared. If possible, employees should receive customized training based on their duties and business unit. Risk management education should be included in new employee training.

Increase Risk Visibility

When employees have better visibility into risks, they can understand individual and collective actions necessary to manage them. Take advantage of having well-informed employees; seek employee feedback. Employee involvement can strengthen the risk culture significantly.

For example, employees can help identify specific risks and participate in establishing robust protocols, policies to guide actions, and communication flows to share risk information.

Align Risk Performance Metrics with Incentive Systems

Rewards, recognition, and incentives are powerful ways to drive and reinforce positive employee behaviors. Embedding risk performance metrics into motivational systems and compensation structures can help drive positive risk-related behaviors and strengthen the risk culture.

At the same time, it’s also important to hold people accountable for their actions and quickly address gaps that harm risk management and weaken risk culture.

Evaluate and Report Progress with Quantitative and Qualitative Metrics

The effectiveness and performance of the organization’s risk culture can be evaluated by looking at:

• Risk management ownership by business units
• Acceptable level of leadership and board support and sponsorship
• Results of critical risk-related decisions
• Use of risk appetite and tolerances in decision-making
• Alignment of risk management policies with strategic planning and risk culture with organizational culture

As risk appetite, risk tolerance, or business strategy change, these metrics should be modified to support ongoing risk culture evaluations.

Manage Risk Appetite Efficiently with Reciprocity ZenRisk

Enhanced risk visibility is invaluable to promoting a solid, risk-intelligent culture. Improve visibility into your risk landscape with the integrated risk software solution offered by Reciprocity ZenRisk. ZenRisk shows where risks exist and where they are changing so you can take the necessary actions to minimize business exposure.

ZenRisk provides multivariable scoring to help you evaluate risks across connections and business objectives. Identify and remediate threats in real-time with its intuitive workflows and automated alerts that support continuous risk monitoring.

Solve your risk management challenges and drive a thriving risk culture with Reciprocity ZenRisk. Schedule a demo today to see how Reciprocity ZenRisk can help your organization.