Yes, building risk culture is that easy! Before I explain, let me first clear some misconceptions about risk culture that have been floating around in the non-financial companies.
- Making decisions under uncertainty is not natural for humans
Back in the 1970s, scientists had a breakthrough in understanding how the human brain works, what influences people’s decisions, how cognitive biases impact on their perception of the world and so on. Daniel Kahneman and Vernon Smith received a Nobel prize in Economic Sciences back in 2002 “for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty”. It is amazing how many risk managers and consultants continue to simply ignore this research. Identifying, analysing and dealing with risks is against human nature. They need to stop kidding themselves. The sooner the professional community accepts this, the easier it will be to integrate risk management into decision making.
- Managers do not take risks into account by default
One of the biggest deceptions floated around is that most business processes already take into account risks and decisions that are made by management after careful consideration of risks. Not so. Naturally, managers do consider some of the more obvious risks and there are exceptional cases where risk analysis is already integrated into the decision making. For the other 95 percent of companies, existing processes and management tools barely account for inflation and ignore or purposefully hide significant risks. If risk managers, instead of running useless risk workshops, had a deep hard look, they would soon discover that budgets are overly optimistic, project plans are unrealistic and some corporate objectives are borderline naïve. But then again, maybe not, because the rest of the company is fine with how things are and will do everything to stop risk managers from getting involved.
- Making risk management everyone’s responsibility is just wishful thinking
There seems to be an idea that strong, robust, risk-aware culture is the ultimate objective. It is the end result. While it sounds great, it is physically impossible. This is why so many risk managers have failed and so many more are struggling to make an impact. They are trying to move the rock that is not meant to be moved. This is probably the most important point of this article: The only person in the company who thinks strong risk culture is a positive thing is the risk manager. The rest of the organisation sees risk management as a direct threat to their personal interests, their income and their position in the corporate world.
Most managers ignore risks and take uncalculated risks for a reason. Most, but not all managers, and not all the time. That is where the risk manager comes in, trying to change the culture of certain individuals some of the time.
- Risk management culture is not about hearts and minds
Hopefully by now, readers realise that management does not care about risk culture. They will still say the right words when the risk manager is present but, deep down, nobody will care. The only chance for risk culture to stick is if it makes business sense for the individuals. This does not mean soft things like transparency, corporate governance and other nonsense; it means the direct impact on the bottom line or the personal security of an individual. The best examples of managers suddenly becoming very risk aware are when they can be shown that, by better managing risks, individuals could protect their role, avoid prosecution, have better business case for investors, save on insurance, save on financing costs or to get higher bonuses.
So… Takeaway Instead of Hot Dogs?
Despite everything above, building risk culture is a piece of cake. Risk managers just have to realise that they will not be able to convert everyone and some people are beyond help. There is also no single solution that will do the job. It is all about finding what makes each individual tick. It is time consuming yes, but not difficult at all. Hence, it can be equally applied by large corporations and small and medium-sized businesses.
Here are some practical ideas to get started:
- Develop high-level risk management policy. It is generally considered a good idea to document an organisation’s attitude and commitment to risk management in a high-level document, for example, in a risk management policy. The policy should describe the general attitude of the company towards risks, risk management principles, roles and responsibilities and risk management infrastructure, as well as resources and processes dedicated to risk management. Section 4.3.2 of ISO31000:2009 also provides guidance on risk management policy.
- Integrate risk appetites for different risk types into existing board-level documents; do not create separate risk appetite statements.
- Regularly include risk items on the board’s agenda.
- Consider establishing a separate risk management committee at the executive level or extend the mandate of the existing management committee.
- Reinforce the ‘no blame’ culture by finding a number of arguments for different situations and different people on why it makes more business sense to disclose and account for risks.
- Include risk management roles and responsibilities into existing job descriptions, policies and procedures and committee charters, not into a risk management framework document.
- Update existing policies and procedures to include aspects of risk management.
- Review and update remuneration policies.
- Provide risk awareness training regularly.
- Use risk management games.
- Most importantly, get personally involved in business activities.
More ideas about integrating risk management into day-to-day operations and building risk culture can be found in the book that will be available to download next month for free at www.risk-academy.ru/en/download/risk-management-book
As a Board member of Institute for strategic risk analysis in decision making, Alex is responsible for G31000 risk management training and certification across Russia and CIS, running numerous risk management classroom and e-learning training programs. Alex represents Russian risk management community at the ISO Technical Committee 262 responsible for the update of ISO31000:20XX and Guide 73 since 2015.