Creating An Effective Risk-Aware Culture

Organizations need to communicate, communicate, and communicate some more

Insider

Chief Risk Officer

An organization is run by its people. Managing risk is a key factor to strategic business planning and success. So the saying that everyone is a “risk manager” may sound cliché and simple, but it’s absolute. How to effectively manage risk and building out a risk infrastructure has evolved dramatically through the years.

The Evolution of Risk

In the early 2000s, financial risk was at the forefront when the Sarbanes-Oxley Act (SOX) was enacted and organizations began to establish the three lines of defense model. The Great Recession led to new regulations and requirements, resulting in organizations reevaluating how they could apply the earlier elements of the risk governance model.

A risk-aware culture took some time for many organizations to adopt after the Great Recession. We often still saw the risk-aware culture broken into a segregated model — the business, and the people responsible for monitoring and calling out what’s wrong.

But, in the last several years, the industry has matured because there is more integration of risk-aware culture across all three lines of defense. Efforts have been made to improve how the teams work together and are better integrated, resulting in operational improvements and cost efficiencies. Enterprise Risk Management teams are now viewed as advisors and align with each business area to strengthen risk management practice and behaviors.

The Five Pillars of Building a Risk-Aware Culture

Step 1: Start at the Top. It’s crucial that management, the board, and the executive level understand that developing or strengthening a risk-aware culture is a necessary and important function. The concepts of risk and the ideas need to be reiterated as the core foundation of the organization.

A risk-aware culture is also dependent upon all the boots on the ground. It’s about the people who are running the day-to-day, and how they think and operate, so you also have to attack it from the grass roots to be successful.

Step 2: Communicate, Communicate, and More Communication. I can’t stress enough the importance of communication. It should be ongoing and shared by leadership, especially non-risk leaders, to engage employees. This further demonstrates that executive leadership supports the risk culture and that the foundation permeates all levels of the organization.

Step 3: Make It Make Sense. Be less academic and be more pragmatic. Convey the concepts of risk so that people not only understand it, but how it applies to their day-to-day role. Risk practitioners can get caught up in textbook risk management. Instead, use terms that are easily digestible to everyone. Employees should understand the “why” of what they’re doing and what the real magnitude of a risk is in order to sustain sound mitigation practices.

What I’ve learned is you won’t be successful if you have a second and third line of defense that only speaks “textbook” language to the business. The business doesn’t always think in terms like “risk and control self-assessment.” But, they can grasp the risk principles. They know that if payroll needs to be out by Friday, data needs to be in, reconciled and approved before files can be sent. They understand that managing cash and executing payroll are higher risk activities. There is risk of fraud and financial loss can occur if not done correctly. They understand the concepts and many times what needs to be done in terms of executing controls. Thinking in a simple manner and speaking in business terms helps build efficient operations and the strongest risk management foundations.

Step 4: Shout Out To Employees. Be an advocate for positive reinforcement. If someone raises their hand and self-identifies an issue, celebrate that behavior as an accomplishment. Rewarding active and visible examples of best practices helps recognize employees while leveraging those examples as learning opportunities for others.

Be less academic and be more pragmatic. Convey the concepts of risk so that people not only understand it, but how it applies to their day-to-day role.

In every employee’s performance management goals, risk management should be embedded as one of those objectives. Everyone needs to know that their roles support a strong risk culture.

Additionally, ongoing training is essential at all levels of the organization. At onboarding, and then repeated at least annually for reminders. Developing risk management awareness ensures the organization is evolving as new practices are introduced and/or the organization matures its framework and processes.

Step 5: Measuring Your Progress. When establishing baseline processes, the structures you put into place are your measurement vehicles. For example, issue remediation, risk assessments and control performance — these are data-driven points leveraged to determine how the risk environment is doing and whether it’s improving or degrading.

From a qualitative perspective, it’s about the dialogue and feedback between the regulators, the board and other leaders in the organization. You can’t eliminate risk but it can be managed effectively. There will always be challenges. So when you hear that the business is able to take the lead and articulate the risk to the board or management about how an issue will be remediated, you know you’ve been successful in building a risk-aware culture.

Developing risk awareness and a strong risk-aware culture takes time and is a process that relies on continued commitment and continuous improvement.