Several things help to make risk management work. These include a risk process that is simple and scalable, which can be applied across the organisation to manage all types of risk. We also need competent people, with the knowledge, skills and experience to deal with the risks that might arise. Infrastructure is also important, providing the tools to support risk management and handle significant amounts of risk data.
But the most important contributor is the culture of the organisation, which provides the context for risk management at all levels. The ideal culture is risk-aware, encouraging people to take the right risks, and rewarding good risk management. So how can an organisation develop a strong and mature risk culture?
Two approaches are possible:
1. Culture first
One possibility is to start at the top, addressing cultural aspects directly. This requires a clear statement of intent from leaders in the organisation, laying out their vision and policy for risk management. They should describe their values and beliefs about risk, and explain the approach that they intend to take in order to exploit risk and create benefits. A senior manager should act as risk champion and the desired risk culture should be actively communicated to all staff, so no-one is any doubt that risk is being taken seriously.
Once a risk-aware culture has been established, other detailed elements can be put into place to turn the risk vision into reality. Staff can be recruited and trained for specific risk roles, risk processes can be developed, and a suitable risk infrastructure can be established. These steps should be easy to do because the risk culture already exists and is understood.
2. Culture last
A second option is not to worry about developing risk culture proactively, but to allow it to emerge naturally. This approach concentrates on putting all the practical elements in place within the organisation to allow risk to be managed properly, with good people, processes and tools. The focus is on getting the day-to-day implementation right.
As people across the organisation put risk management into practice within their routine jobs, they should start to see results. Managing risk properly results in fewer problems and enhanced benefits. As they see risk management working for them, people will recognise the importance of managing risk. Their belief in the value of risk management will reinforce the correct behaviour. A positive cycle is created where acting properly towards risk creates a risk-aware culture, and that in turn makes people want to manage risk in all they do.
If we want a mature risk culture in our organisation, which way is better? Both approaches work, and either one can produce a strong risk-aware culture. So an organisation that is serious about improving the way it manages risk could adopt either approach: deal with risk culture first, or allow risk culture to emerge. However each approach also has potential weaknesses. If you start by addressing culture first, any delay in providing the supporting implementation can result in lost momentum and demotivated staff. But if you concentrate on practicalities and wait for risk culture to develop naturally, the culture that emerges might not be exactly what you expect or want.
The most important thing is to do something! If you want a risk culture that promotes effective risk management at all levels in your organisation, choose one of these two approaches and get started today. Risk culture matters, whether it comes first or last.
[© Copyright 2011, David Hillson/Risk Doctor & Partners]