This post was originally featured on the blog "ERM Insights by Carol"
Even without the disruptions and displacements caused by the COVID-19 pandemic and various responses to it around the world, companies are experiencing an unprecedented amount of challenges that were unheard of as recently as a decade ago.
Changing regulations, shifting consumer demands, rapidly evolving technology, and an overall uncertainty of what the future holds are a few reasons for these challenges.
Never has there been a time when companies have needed certain tools to address and overcome challenges like today. Companies that neglect developing these critical tools do so at their own peril and put themselves at increased risk of financial loss, displacement by more agile competitors, and a host of other potential consequences.
Fortunately, tools do exist for helping companies overcome these challenges and thrive in the long-term. The problem is that many executives consider enterprise risk management (ERM) as a bureaucratic exercise and wasted investment for satisfying regulators, auditors, and investors.
However, when done properly, ERM is a valuable tool in the toolbox for companies to ensure future success and provide a competitive advantage. Rather than the never-ending scramble, robust ERM ensures informed decisions are being made in pursuit of strategic goals.
Every organization performs risk management in one way or another, whether it’s purchasing liability coverage or taking basic safety measures. However, as I discuss in my cornerstone article comparing traditional and enterprise risk management, these efforts are often disjointed with no connection to strategic objectives.
To move beyond this “silo” approach, risk and opportunity must be embedded throughout the day-to-day activities of the company.
Ultimately, the success of any effort to integrate risk into strategic decision-making hinges, not on a given standard or process, but on company culture.
As McGill University management professor Henry Mintzberg succinctly states:
“Culture is the soul of the organization – the beliefs and values, and how they are manifested. I think of the structure as the skeleton, and the process as the flesh and blood. And culture is the soul that holds the thing together and gives it life force.”
Now to be clear, when I discuss a performance-focused risk culture, I’m not talking about building some sort of separate ethos specific to risk topics, but rather a component within a company’s culture. This Great Place to Work article on great company culture lists six specific elements that make up that so-called great company culture. While “risk” is not one of those elements, I think it is spread out over those six elements.
For example, with fairness as one of the six elements, management must assess the risk of the employees having even the slightest perception of being treated unfairly; most management will deem the situation not worth the risk and make the decision that treats employees fairly. This thought process also builds trust in management, which is another element of great company culture.
A previous iteration of this topic includes many of the same steps outlined below, but the discussion framed risk culture in a “failure prevention” mindset instead of one focused on achieving objectives and ensuring long-term success.
Companies who only use ERM in the attempt to prevent failure will wind up suffering many of consequences outlined earlier, which is why developing a risk culture must also include an awareness of measured risk-taking for ensuring the company’s long-term success.
Six steps companies can start taking immediately to build awareness around risks and opportunities include:
Start with the right tone at the top
For any risk-culture to take root, executives must absolutely take a leading role. A 2018 survey of readers of the blog, ERM Insights by Carol, indicated this as being a core challenge to implementing an effective ERM process. Without the right “tone at the top,” the company will, at best, struggle to meet its strategic goals.
Collaborative leadership
Certain company cultures are very top down, or dare I say, authoritarian. Executives will hand down a directive and expect it to be done without any input from implementers of the new policy or approach. Instead, executive leaders should embrace a more collaborative approach and empower their managers and employees to make decisions and take action within intentional parameters that are communicated.
Make sure culture reflects current or future reality, not the past
When a company is first starting out, approaches and processes will not be the same as they are for a more established firm with hundreds of employees. If your company is still operating as a start-up but has grown, it’s time to take a step back to and make across-the-board adjustments so the company can manage risks and seize opportunities as effectively as possible.
The other side of this is to also think about where the company wants to be in the next 3-5 years. The work being done on company culture should also take into consideration what the company wants to be, so that when that day becomes reality, you aren’t in catch up mode all over again.
Be clear about where the company is and where it wants to go
Communication occurs one way or another, but is everyone from executives on down to mid-managers and employees clear on the company’s goals and their role in pursuing them? Clear and consistent communication from the top-down, but also from the bottom up and between departments, is a crucial component of building a performance-focused risk culture.
But before a company can communicate about the company goals, the executives must first take the time to focus on the deliberate and thoughtful identification of company goals, the initiatives and actions that must be taken to achieve those goals, and the expectations of leadership to the rest of the company.
Develop or update corporate policies
This may seem a bit rudimentary, but it’s amazing how many companies I encounter who lack clearly articulated governance and other common internal policies. Without this sort of structure in place, companies will struggle to hold people accountable, which will create unnecessary risk to the day-to-day running of the business, the ability to achieve strategic and business objectives, and the company’s reputation.
Follow-through on deadlines and other agreed-upon actions.
While we should always celebrate wins and milestones, there also must be mechanisms in place to address employees, managers, and even executives who do not fulfill their obligations. This doesn’t automatically mean termination, but if someone is not meeting expectations or violates the trust placed in them, steps will need to be in place to hold them accountable.
I believe the essence of a performance-focused risk culture is best summed up by risk consultant and trainer Horst Simon when he explains:
“An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of individual ownership of risk and personal ‘conviction’ – a state of mind where human beings own the risks and the process of managing those risks through making well-informed risk decisions because they want to, not because they have to.”
That, in the end, is what separates companies who successfully integrate risk into decision-making from those who don’t – employees from top to bottom must want to do it.
The six steps outlined above are a great starting point for getting your culture to this place.
What other steps would you add to the list for working on risk culture?
To learn more about how NAVEX can help your organization better manage IT and third-party risk, visit the
