I was recently asked about my views on creating a ‘risk culture framework’.
My immediate reaction was to question the question. Has our profession gone too far with jargon? Are we over formalising risk protocol?
Indeed, risk culture is important.
Culture is all about people. In fact, all risks are caused, managed, seen, heard and felt by people. And while processes and frameworks exist, we must acknowledge that to improve risk culture, we must influence behaviours and attitudes within our organisations.
The term ‘risk culture’ provides an imperative to take risk management beyond theory and into practice.
It gives us the impetus to think, how can we:
Some would say, ‘create a risk culture framework’ and ‘ensure it has X, Y, and Z’.
But I say, it is less about the framework and more about people, relationships and building engagement.
Only then can we really achieve points 1 through to 5.
So, how would I do it?
Here are my three simple whys and hows to risk culture.
And there is no dedicated risk culture framework insight.
So you can support the c-suite and department heads with their decision-making. And positively influence their attitudes and behaviours towards risk-taking.
This means making an impact on their hearts and minds.
Get into their heads. What are their priorities? What are their KPIs? What do they care about most?
I challenge risk managers to drop the frameworks, processes, templates and try to empathise with the decision-makers through this simple exercise.
Think about the key stakeholders one at a time or as a collective and write out what decision-makers are:
Do this, not in the context of risk, but by thinking about their typical business activities. Consider these questions:
Now think about your typical risk registers, reports or discussions:
Use this exercise to help you think differently. Because the fact is, your approach or template might not resonate with the decision-makers.
You might find that, instead, it is the level of detail you capture, your ability to offer new ideas or challenge current approaches that builds the engagement you really want.
Next, introduce a set of guiding principles. This should build on the above exercise and align with your company’s values. Each one should focus on a behaviour and serves as a journey with potential improvement actions.
Here are my guiding principles. It describes how I would position risk management. I call them ‘ETCHED’.
Then create a communication plan that supports and complements your guiding principles. I place ETCHED on a slide and use it every single time I speak, until the people at the table can tell me what ETCHED stands for and what it means to them.
Because risk management is not a stand-alone process. Good risk management will empower incisive decisions on risk-taking, innovation and opportunities across the entire company.
Map out and prioritise key decision-making processes and the people behind them – both committees and individuals. And take these key steps to help them see where there is room for improvement:
There are different ways to embed risk management and risk culture in decision-making. Here are a few examples:
Risk appetite statements should stop decision-makers dead in their tracks – and encourage them to consider their choices before a decision is made.
What are the real deal breakers? What lines should not be crossed? How are these considerations articulated in your statements? Do decision-makers struggle to see the points?
Consider two approaches – upside risks (rewarded) or downside risks (unrewarded).
For rewarded risks: statements should include direct questions or encourage the board and leadership to question whether they are taking enough risks.
For example, are risks proportionate to the real strategic threats?
Take HMV, Kodak, Blockbuster – these companies went bust because they didn’t take enough risk to drive material change in their products and services.
Here’s another way of looking at it. Tesla vs Ford – who needs to take more risk? Should Tesla’s board support going to space? Should Ford’s board invest in alternative motors or technology?
For downside risks: No one wants these to happen but do the statements and sentiments drive strategy around how these risks should be managed, resourced and controlled.
More effective questions to place in the statement are:
These are three simple considerations. Creating a robust risk culture is a long-haul journey with several crossroads along the way.
So, why overcomplicate it with yet another risk framework?