Risk culture Copy

The Risk Management Move to Make Right Now: Building a Risk Culture

Amid the ongoing COVID-19 pandemic, organizations are rewriting their playbooks for how to anticipate and manage vulnerabilities and to build risk resilience.

Businesses have been put through the ringer over the past 18 to 24 months as COVID-19 continues to manifest itself. Leaders made hard decisions on staffing, operations and balance sheets in quick – and not to mention remote – situations. Many tough decisions have been revisited well into 2021. As the pandemic lingers it has forced many businesses to rethink or modify return-to-the-office plans.

These swift, significant and ongoing shifts have pushed companies to think differently about risk. In a recent report, 68% of senior leaders surveyed said that the pandemic exposed new risks and vulnerabilities that require a significant change in how they think about the future. One of those changes should be a deeper focus on building a risk culture – an area many companies still view as a low-priority agenda item. In a 2019 global risk management survey, only 20% of risk managers said they use risk modeling, and 10% said they have no formalized process in place to identify risks. Organizations can measure their risk maturity across specific parameters to understand which areas they should prioritize — a crucial step for organizations operating in an environment where cost management is critical. Analyzing maturity can also help firms understand where their gaps are, and what roles each person in an organization should play in risk culture. By doing this, the payoff is clear: Research has shown there are strong relationships between an organization’s Risk Maturity Rating and its performance. Organizations with higher risk maturity generally see stronger stock price performance, reduced stock price volatility over time and stronger return on equity performance.

Companies can create a framework for action focused on several core areas:

Click icons for more information

People

Process

Information

Influence

Risk needs to have a seat in the C-suite. Risk managers should liaise with executives to understand business strategy and connect objectives and desired outcomes to risk strategy. Senior executives should also help facilitate key risk management processes.

Executive-leadership discussions

In addition to senior executives, a mix of key stakeholders, such as board members and employees from different business units, should participate in developing risk management strategies, processes and policies to ensure ownership and accountability exists across the business. Setting regular times for stakeholders to convene will facilitate better communication and provide greater visibility into risk issues. It’s also important that risk leaders make clear which risks affect each business function so that buy-in and participation come from across the organization.

Stakeholder participation

Most companies’ risk plans break down because there isn’t enough ownership and accountability both at the leadership level and on the frontline. All employees need to understand their role in risk management. Risk leaders should provide regular trainings, risk summits and briefings to employees to create a shared understanding of risk and expectations.

Frontline involvement

Creating a risk management mindset and promoting best practice risk management behaviors across the organization is important – every employee should be able to make decisions through the lens of risk. Because many companies fail when there isn’t accountability across the organization, continually reinforcing those mindsets is critical. To that end, companies should have rewards and incentives for compliance built into their organizational structure and provide ongoing training and education for employees. Many companies turn to change management processes, including a four-part influence model, to help increase the likelihood of success in changing mindsets and behaviors.

Mindsets and behaviors

Risk-based decision making

Companies need to incorporate risk considerations into decision making and governance. They should use data on financial, operational, and reputational risks to fully understand the impact of their business decisions. They should also use scenario-based approaches to help separate predictions or intended outcomes from actual behaviors or outcomes. This will help ensure that risk perceptions, versus actual degree of risk, don’t cloud decision making.

Risk communication

Transparency is a key to a successful risk culture. Conversations about risks at various levels and how different types of risk impact the organization should be encouraged. Leadership should provide honest commentary about risk and how the company addresses it. All communication related to risk should avoid jargon and use everyday language. Companies should also be thoughtful and targeted in their communications strategy, identifying the appropriate channels to connect with audiences across their organization — for instance, older employees may prefer face-to-face contact while millennials may prefer text or email. Doing so will help ensure risk communication reaches and engages employees.

Optimized risk profile

One element of a strong risk culture is the move from focusing on risk prevention and mitigation to leveraging risk and risk management options that extract value and help build resilience. Simply put, risk is part of everyday business. This proactive, strategic risk strategy requires a sophisticated enterprise risk management approach, and key tenets of risk culture can help bring it to life. When a company moves from having a reactive risk plan that results in only addressing risk after the fact, to one in which they upgrade practices to reduce exposure before a loss occurs, it can build respect and credibility with customers and peers.

Reporting

In a strong risk culture, companies measure outcomes and accountability, and put routine risk reporting in place. The reporting should be shared throughout the organization for greater transparency. In addition to reporting on what has been done and quantifying mitigated risk, the reporting should unveil areas for improvement and opportunity to strengthen the risk strategy. Companies can use a number of reporting tools that provide customizable reports to gather the information they need more quickly and methodically.

Monitor and move with agility

Risks vary in terms of types; an approach to natural disasters, for example, looks very different from an approach to cybersecurity. As such, the more firms can calibrate to the current environment, the better. For example, many companies had to factor in the giant work-from-home sweep that abruptly took place in 2020 into their cyber risk models. Companies need to have an agile posture when it comes to risks, which are constantly evolving. To achieve that, they should have a continuous monitoring process, pulling data from a number of sources, and a flexible risk management operation that allows leaders to shift course quickly when needed.

Back

As the risk environment changes, companies should implement a strategic enterprise risk management approach that helps them mitigate risk and create value. To make that a reality, all companies should focus on building a strong risk culture with buy-in and support from the top down.

Data and analytics

Companies should take a data-driven approach to identifying existing and emerging risks. They can use both internal and external data to monitor potential disruption in a number of areas. Some examples include using catastrophe models to understand exposure to climate risks and AI-based tools to monitor customer complaint data. Such data will also help firms determine their risk appetite and implement risk quantification tools. Companies should invest both in data and analytics capabilities and platforms that aid in uncovering insights.

Scenario-based approach

Firms should also rely on scenario-based information, which can provide context to data by developing different scenarios as to how risk could play out. For example, if an office is in a floodplain, scenarios could include moving the office, reinforcing it with flood-proofing, or doing nothing and potentially needing to rebuild the office in the event of a loss.

Governance structure

Risk cultures are most effective when there is a strong governance and accountability structure in place, built into the overall organizational and managerial structure. There should be appropriate influence and responsibility at each level. A sample structure could look like this:

Board of directors

• Reviews and confirms risk management policy and objectives

Leadership team

• Develops risk appetite consistent with operating plans, metrics

Frontline employees

• Oversee risk management implementation

• Reviews and confirms organization’s risk profile and risk appetite

• Aligns risk governance with overall strategy and shareholder expectations

• Accepts ultimate responsibility for overseeing risk governance

• Determines risk management responsibilities

• Allocates resources and monitors risk management performance

• Discloses key risks and risk management performance

• Confirm risk management results

• Identify and implement best practices

• Provide internal oversight, expertise and training

Process

People

Back