Enterprise Compliance Today

The "Risk Culture" Myth 2: Roadmap to a Practical Risk Culture

Posted by Greg Carroll on Fri, May 09, 2014 @ 09:55 AM

The Risk Culture Myth isn't anti risk culture but that it's been hijacked to a belief system. In this 2nd article on the Risk Culture Myth I attempt to re-position Risk Culture back to it its original practical intent.



A juggler develops from 3 balls to 5 balls to knives and chainsaws.  By the time they are juggling chainsaws they don’t consider it reckless..

paperbackfrontFree Excerpt: Mastering 21st Century Enterprise Risk Management

In my last article The “Risk Culture” Myth (Apr 24,2014), I asserted that “risk culture” has been hijacked, by vested interests, into becoming an impossible (and unrequired) philosophical pursuit. In an attempt to re-position back to it its original practical intent of:

. the general awareness, attitude and behaviour of its employees and appointed representatives to risk and the management of risk within the organisation", as defined by FSA back in 2006, here is how I believe an organisation can build a “Practical” and effective risk culture in a realistic time frame.

As mentioned, risk culture not only varies between different parts of an organisation, but it also varies over time. As you get better at Risk Management, it is only natural to take on more risk for more reward. As a juggler develops they increase from 3 balls to 5 balls to knives and chainsaws.  By the time they are juggling chainsaws they don’t consider it reckless.   It is due to awareness and practices developed as they evolve, not value and belief systems.

The key principles we can learn from a juggler are:

  1. Risk management is a skill that has to be developed not just instituted, 
  2. It starts with baby-steps and incrementally is extended as the practitioner becomes comfortable with each level or risk,
  3. Each level of ability is demonstratable and has its own reward,
  4. Movement to a new level requires conscious decision with planning, skill development and effort,
  5. The end result moves them from the ordinary to extraordinary and opens their awareness of future possibilities.

So how can one achieve this elusive end? Anyone involved with change management knows that changing a person’s behaviour requires that the individual sees a personal benefit. So make a list of the practices you want adopted and work out the benefits to individuals (not the company). Learn what is important to them and leverage these conversations to derive the benefit the staff seeks.

To develop an practical risk culture requires a journey of behaviors and systems. As I mentioned back in my Feb 2014 article Where to start your Enterprise Risk Management (ERM) system, there are 5 levels of risk maturity, each with their own Risk Cultures.

  1. Basic Risk Registers– having a system in place to identify, record, assess and mitigate risk.  The key is to make it companywide: accounts, sales, operations, processes, etc.  As part of their job everyone must report any noticeable hazards (not just WHS but process and business hazards), which must be reviewed and feedback given on mitigation.

    Awareness: This develops a realisation of hazards in the workplace, processes and work as carried out. The main thing is to keep recording easy and minimal. Ensure management acts on report (have diarise time for mitigation) and posts feedback on action taken. This feedback loop is the key to building staff commitment to risk management and pride in the effect they can have on the business. It also is the start of developing a database of risks that will be used in following levels of risk management.

    Behaviours: Put quotas on staff and management for reporting and actioning hazards (start with 1 per week). What people do consistently for 30 days becomes a habit.

  2. Integrated Risk Management– Throughout the organisation have groups carryout Risk Assessments on their own operations for possible issues then integrate with QMS process control and continuous improvement.  Then identify KPIs to measure and analyse effects of controls implemented thru continuous improvement processes published on their operational dashboards.  Refer to "The Secret to Successful Compliance Management? It's Not the System" on how to get staff involvement.

    Awareness: Develop concepts of cause analysis, hierarchy or controls and KPI measurement as a method of continual monitoring of processes.

    Behaviours: Develops the natural progression of risk identification to mitigation and more importantly the need for flexibility in implementing mitigation activities. Most things don't end up as first planned. This agility of attitude towards plans and ideas is the key to developing a practical risk culture at operational level.

  3. Risk Culture– Convert Risk Management from a compliance obligation into a management strategy.  Commence all decision making with a risk assessment.  Also ensure there is a review & improvement part to all workflows, and institute interaction between depts within day to day operations.

    Awareness: Once you have an endemic understanding of underlying risks and their control, it’s now time to extend into formal risk based decision making. Multiple options (scenarios) of how possible outcomes might evolve need to be identified.  Then the where/how risks apply, in context of those scenarios, becomes meaningful.

    Behaviours: Risk base decision making needs to be integrated in all proposals, business cases and meeting submissions. If it is a mandatory requirement then management will develop strong skills in risk assessments to support their own goals.

  4. Enterprise Risk Management– teenagers would love to be able to become doctors without going thru Uni, Med-School, internships, etc but we understand the need of graduated development.  True ERM not only covers all enterprise risks but more importantly is a proactive, responsive integrated system responding to movements in influences and drivers not just reacting to the after effects of risk events. Developing an ERM thru the aboves levels brings the whole organisation to a mature level of risk awareness and skill which enables an ERM to work effectively. Only then can you have it start producing trustworthy and beneficial results.

    Awareness: Using the extensive risk register database and business process scenarios, it’s now a matter of using all this intelligence to map risk profiles with drivers and influences. Now it time to introduce basic probability mathematics and Bayesian network theory.

    Behaviours: This is quantum move from looking at effects of risks to the causes of risk. The maths lets people understanding the compound nature of influences and leads them to become more and more outward-looking.

  5. Governance & Opportunity Management– having real-time awareness from board to barracks of all influences on strategic objectives, along with the collateral, provides confidence to model future possible scenarios using “what-if” tools. This not only allows ERM to be used for identifying and assessing opportunities, but also can identify fastest pathway to market or ROI.

    Awareness: Risk is the measure of uncertainty and therefore, as opportunities like threats are just another form of uncertainty, risk is a tactic of opportunity management. Using ERM Environmental Scanning linked to growth scenarios, management are offered opportunities as much as being warned of threats.

    Behaviours: Business focus changes from a defensive position to management looking at growth and development opportunities.  This positive attitude is also its own reward.

 All the above tactics for moving an organisation to practical "Risk Culture" are about working with staff to improve their awareness of their environment, purpose and effect of what they do.  No need for defining values, belief systems or shared purpose.  Finance will continue to work with a very different "Organisational Culture" from sales or operations, as will regional offices in US, Japan and Australia.  In the 3rd and final part to this series Risk Culture vs Organizational Culture – Hitler Diaries Case Study, I will illustrate this point using a case study of the "Hitler Diaries" fraud case which highlights the need of independence between "Risk Culture" and "Organisational Culture".


paperbackfront  reduce non-compliance  reduce compliance costs
Free Excerpt: Mastering 21st Century Enterprise Risk Management
Guide to selecting & implementing Enterprise Risk Management
Webinar Videos
See recorded webinar on the Mastering 21st century Enterprise Risk Management
Product Guide
Technical specifications, pricing, and more.

Tags: Best practices, risk management, risk culture