Building and nurturing a positive risk culture: a practical guide + video

This week StrategicRISK invited three fabulous speakers, all of whom have loads of experience in the area of establishing risk culture. The panel consisted of Tom Hughes, Head of risk and financial crime at Simply Health, Claire Hopper, Sales engineer at Risk Connect, and Alex Sidorenko, Group head of risk, insurance, and internal audit at Sierra Verde.

What does positive risk culture look like?

To me positive risk culture is when people within the organisation reach out to risk management team to perform risk analysis before making an important decision or do the risk analysis themselves and use proper risk analysis techniques, no heatmaps or other horoscopes. Most of the risk manager’s time is usually spent chasing departments and executives trying to convince them to stress test their assumptions, framing the decisions, finding better alternatives and performing quantitative risk analysis to compare the alternatives. Organisations that do that organically and consistently are very risk culture mature. Mature organisations encourage transparent risk discussion and risk taking, risks are balanced against the rewards and clearly documented.

Actionable steps: If you want meaningful changes for your organisation do the following:

  • Embed risk-based thinking into existing leadership charters, policies, standards and job descriptions.
  • Integrate risk-based thinking into existing protocols for investment, capital decisions, long term contracts or other significant technical or financial decisions.
  • Encourage decision makers to consider and disclose risk information during regular management and Board meetings.
  • Adopt a risk-based approach that focuses resources on areas of highest risk to the organization during planning and budgeting.
  • Incorporate risk adjustment into the performance metrics of key leaders and managers, exclude KPIs that encourage risk ignorance or excessive risk taking.
  • Build relationships and align methodologies with other back office departments, like financial controlling, IT, safety, environment or others.
  • Participate in relevant major performance improvement work.

Improve culture by making risk management inevitable

In my experience risk management is not taken seriously, not matter the tone at the top, unless risk management becomes inevitable and unavoidable. This means whenever a decision or significant topic is presented to a Board or an executive committee it has to be supplemented with proper quantitative risk analysis. I usually start with Board decisions and then blend risk management into everything important an organisation does, budgeting, procurement, investment decisions, project management, external presentations and so on. Effective decision-making in a positive risk culture organisation involves considering multiple alternative risk-weighted options, not just a single path for approval.

Making risk management inevitable comes with a challenge, because as soon as you create a requirement to perform the risk analysis to support each important decision someone has to do it and do it mathematically sound. This means either teaching business to do it (not an easy task let me tell you) or doing risk analysis yourself (easy but quickly becomes overwhelming given the quantity of decisions). So I usually prioritise, start one decision at the time. Don’t underestimate the challenge either, it may well take a full year to understand the intricacies of a process like vendor accreditation, selection, procurement and performance management to figure out how not one but 3 separate risk methodologies are required to support the decisions. This would not be possible without building strong relationships with risk owners and finding what motivates them to account for risk. Again, this is not a simple task, risk owners prefer to ignore risks unless you find a tangible way to make it worth their while to disclose and be transparent about risks.

Actionable step: If you want meaningful changes for your organisation do the following:

  • Develop a communication strategy that encourages openness and honesty about risks.
  • Integrate risk-based thinking into existing communication and reporting processes. Develop formats for including risk information in management reporting and performance evaluation of business units.
  • Discuss culture and attitude to risk with senior management and the Board, as well as help communicate Board and senior management expectations to the employees.
  • Share the risk manager’s contact information with employees or provide a confidential hotline for communicating risks through the internal company website or via the phone.
  • Provide a Q&A section and frequently asked questions about risk management and insurance.

Challenges, challenges, challenges

Risk culture is a very basic concept on one hand and very difficult to implement on the other. It’s 2023 at the time of writing and I don’t think there is any mystery left about how to influence and improve risk culture. The action points in this article and in RISK-ACADEMY’s action plan are pretty universal and effective. So we know what needs to be done. In fact I challenge anyone in the risk profession to come up with additional actions not mentioned in the article to improve risk culture further. Yet, implementing these actions is always a huge challenge. Personal biases, hidden motivations and corporate turf wars make it very difficult for people to be transparent and honest about risks they take.

So, in my experience, risk culture is not a single thing, it’s millions small drops in the human brains, constant reinforcement and reminders. You never know what will work best, so it’s all about A/B testing, constant trial and error.

Actionable step: If you want meaningful changes for your organisation do the following:

  • Integrate risk management training into existing professional development programs.
  • Develop risk management competences in all core business units and make them an important attribute when hiring new personnel to the organisation.
  • Hold sessions with invited speakers, risk managers from other companies. Integrate risk management training into existing professional development programs.
  • Develop risk management competences in all core business units and make them an important attribute when hiring new personnel to the organisation.
  • Hold sessions with invited speakers, risk managers from other companies.
  • Sign up for RAW2023 as soon as possible


How to get buy in from top management

The good news is that to overcome the challenges, we don’t need to convert all executives into risk-based decision makers, at least not initially. Starting with just one executive and one business process or decision is all we need. And there is always someone who appreciates the risk based thinking as much as we do. You just need to find that person. So start by meeting everyone and talking to them about their attitude to risk taking, their experience with risk management and quantitative risk analysis. Soon enough you will find your audience. Sometimes it may not be the executive but someone in their teams. I personally found most success with directors and GMs, one level below CXOs.

But you know what really helps with buy in, it’s saving the company a lot of money. There are plenty of risks where the savings are on the surface: reduce the cost of insurance through better quantitative risk analysis, reduce bad debts through better credit risk management, reduce maintenance budget or CAPEX through better risk analysis and so on. Once you save your first million, selling risk culture becomes a much easier task. We saved $13M in one year, you ask me how in the comments.

Actionable step: If you want meaningful changes for your organisation do the following:

  • Provide an additional opportunity for staff to provide anonymous feedback on behaviour and risk culture in their area.
  • Use existing governance mechanisms that offer reinforcement of improvement via issue and action logging, monitoring and progress reporting, as necessary.
  • Monitor the implementation of improvement actions and consider the capability-building required for risk culture audits.
  • Use existing communication channels in the company for sharing success stories and exchanging experiences.

What about low risk maturity?

Risk culture is a problem, that I fell we have solved long ago. I personally would not waste my time on risk culture assessments, the end result, the actions we need to take are already clear and will not change regardless of the risk maturity. I provided the actions in this article, go ahead and start implementing. It may take some organisations longer, some actions will be drops as not applicable, but overall the approach for immature risk organisations is exactly the same for any other organisation on the planet. The checklist and actions provided in this article are equally applicable to any size, industry or country.

How do you measure risk management effectiveness?

Here is a simple test to determine if the risk culture within your organisation is mature and the organisation’s risk management is effective – open few past Board decisions, including the memos and presentations that were used to support those decisions. If these supporting documents do not contain proper quantitative risk analysis to support the alternatives presented, risk management has failed. Everything else is RM1.

What’s your biggest recommendation to risk managers?

Upgrade your own skills first before trying to influence the company toward better risk culture. If you don’t understand expected losses and unexpected losses or why expected shortfall should be used instead of VaR for most risks or what does science tells us about using heatmaps or how humans make decisions under uncertainty and what role sugar plays in this, you have zero chance to selling RM2 to executives. Influencing the culture towards better RM1 is just a waste of time.

At the end of the day, if the risk culture is not shifting regardless of the tasks you are making, choose the organisations you work for. Sometimes the culture is so toxic that staying is just bad personal risk management.

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.