Yes, building risk culture is that easy! Before I explain, let me first clear few weird misconceptions about risk culture that have been floating around in the non-financial companies:
Making decisions under uncertainty is not natural for humans
Back in 1970s scientists had a breakthrough in understanding how human brain works, what influences our decisions, how cognitive biases impact on our perception of the world and so on. Daniel Kahneman and Vernon Smith received a Noble prize in Economic Sciences back in 2002 “for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty”. I am amazed how many risk managers and consultants continue to simply ignore this research. Identifying, analyzing and dealing with risks is against human nature. Stop kidding yourself. The sooner we, as a professional community, accept this, the easier it will be to integrate risk management into decision making.
Managers do not take risks into account by default
One of the biggest deceptions floated around is that most business processes already take into account risks and decisions are made by management after careful consideration of risks. Not so. Naturally, managers do consider some of the more obvious risks and there are exceptional cases where risk analysis is already integrated into the decision making. For the other 95% of the companies, existing processes and management tools barely account for the inflation and ignore or purposefully hide significant risks. I bet, if risk managers, instead of running useless risk workshops, had a deep hard look, they would soon discover that budgets are overly optimistic, project plans are unrealistic and some corporate objectives are borderline naïve. But then again, they may not. Because the rest of the company is fine with how things are and will do everything to stop risk managers from getting involved.
Making risk management everyone’s responsibility is just wishful thinking
I don’t quite understand why, but there seems to be an idea that strong, robust, risk aware culture is the ultimate objective. It’s the end result. I mean it sounds great, but it is physically impossible. And this is why I think so many risk managers have failed and so many more are struggling to make an impact. They are trying to move the rock that is not meant to be moved. This is probably the most important point of this article:
The only person in the company who thinks strong risk culture is a positive thing is the risk manager. The rest of the organization sees risk management as a direct threat to their personal interests, their income and their position in the corporate world.
Let me repeat that – Most managers ignore risks and take uncalculated risks for a reason. Most but not all managers and not all the time. And that’s where the risk manager comes in, trying to change the culture of CERTAIN individuals SOME of the time.
Risk management culture is not about hearts and minds
Hopefully by now, after reading everything I tried to communicate above, you realize that management doesn’t care about risk culture. I mean they will still say the right words when risk manager is present, but deep down, nobody will care. The only chance for risk culture to stick is if it makes business sense for the individuals. And I don’t mean soft things like transparency, corporate governance and other nonsense, I mean direct impact on the bottom line or the personal security of an individual. The best examples of managers suddenly becoming very risk aware were when I was able to show that by better managing risks individuals could protect their role, avoid prosecution, have better business case for investors, save on insurance, save on financing costs or to get higher bonuses.
So… shall we get takeaway instead of hot dogs?
And yet despite everything I said above, building risk culture is a piece of cake. Risk managers just have to realize that they won’t be able to convert everyone and some people are beyond help. There is also no single solution that will do the job. It’s all about finding what makes each individual tick. It’s time consuming yes, but not difficult at all. Hence it can be equally applied by large corporations and small and medium sized businesses.
Here are some practical ideas (make sure you click on the links in the article, each one leads to a short video explanation) to get you started:
- Develop high-level risk management policy – It is generally considered a good idea to document organization’s attitude and commitment to risk management in a high-level document, such as for example a Risk Management Policy. The policy should describe the general attitude of the company towards risks, risk management principles, roles and responsibilities, risk management infrastructure as well as resources and processes dedicated to risk management. Section 4.3.2 of the ISO31000:2009 also provides guidance on risk management policy.
- Integrate risk appetites for different risk types into existing Board level documents, don’t create separate risk appetite statements.
- Regularly include risk items on Board’s agenda
- Consider establishing a separate Risk Management Committee at the executive level or extend the mandate of existing management committee – no idea why, but this worked like a miracle for me personally
- Reinforce the “no blame” culture by finding a number of arguments for different situations and different people on why it makes more business risks to disclose and account for risks
- Include risk management roles and responsibilities into existing job descriptions, policies and procedures, committee charters, not into risk management framework document
- Update existing policies and procedures to include aspects of risk management
- Review and update remuneration policies
- Provide risk awareness training regularly
- Use risk management games
- And most importantly, get personally involved into business activities.
You can find more ideas about integrating risk management into day to day operations and building risk culture in the book that is available to download for free at https://www.researchgate.net/publication/323254437_GUIDE_TO_EFFECTIVE_RISK_MANAGEMENT_30. The Russian version is available now at http://www.risk-academy.ru/download/risk-management-book and has already been downloaded more than 37000 times.
Please like, share and comment!
– – – – – – – – – – – – – – – – – – – – –
RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/ or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/. We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
As usual you make the mundane interesting and privacative. Perhaps risk culture is really an oxymoron and is really about one attribute of corporate culture. If true then I would suggest your recommendations are realistic and only partial impact might ever be realized. The challenge remains who and how for greatest impact.
Alex, agree 100%. I once wrote you about a case in automotive industry where wrongly applied risk evaluation (actually not real risk evaluation at all) cost a company 8 billion USD claim which it is still paying to a big car producer. The entire management was swept away and lost hefty benefits. When I used to do my FMEA trainings, some people would yawn, only until I would point out this event. Then everybody would realize how great an impact on their own lives and careers would such neglect lead to.