5 Steps to Building a Risk Culture
How many times have you heard someone say it was the laid-back “company culture” or “company attitude” toward risk that essentially caused the crisis? In other words, a company that’s not proactively thinking ahead and taking preventative measures before a crisis occurs. Just a few that come to mind: BP and the Deep Water Horizon spill; AIG and the financial crisis and GM and the ignition switch. And the list goes on.
So exactly what is it they mean by culture? By definition it’s an organization’s vision, values, norms, systems, symbols, language, assumptions, beliefs and habits. But it’s also the pattern of collective behaviors and assumptions taught to new employees as a way of thinking, behaving and responding to doing business.
For risk management, a company’s culture can be the lynch pin in good decision making and communication in daily business activities. It can motivate people to respond appropriately to a problem event or issue, but it can also be work to silence employees and defer critical decision making.
So how can an organization build and promote a positive risk culture? As with building a safety culture, here are five key areas that every organization should focus on to build a positive risk culture:
- Be proactive toward risk, don’t wait for a crisis.
Senior leadership should practice routine communication throughout the organization about why managing risk is important and that being compliant just isn’t enough. Develop business continuity plans and emergency or incident response programs that promote ongoing participation.
- Show support through investment in risk management.
Nothing gets people’s attention like putting your money where your mouth is. Invest in training, program development or technology to manage your risk.
- Create bottom-up communication.
Incorporate a communication system that encourages front-line employees to identify and report potential issues or problems to management. This should allow employees to remain anonymous, if desired, and will require a response by management with the ability for automatic escalation.
- Identify, prioritize and monitor risk.
Keep employees in the know by maintaining consistent risk management processes across the organization. Also, providing frequent and detailed training for employees will promote improved understanding of the various risks that the company is exposed to and will enable employees to appropriately monitor and respond.
- Frequently evaluate risk.
Companies should routinely evaluate the various risks they are exposed to. This should be part of regular business operations in addition to an annual programs review. Managers at all levels should have part of their compensation tied to evaluating and mitigating their area of risk.
ABOUT THE AUTHOR