The Risk Management Move to Make Right
Now: Building a Risk Culture
Amid the chaos of 2020, organizations are rewriting their playbooks for how to anticipate and manage vulnerabilities.
Ask workplace professionals about how 2020 treated
their firms, and chances are their answer will include the word “exhaustion.” Businesses, like individuals, have been put through the ringer over the past year as the COVID-19 pandemic raged. Leaders made hard decisions on staffing, operations and balance sheets in quick – and not to mention remote – situations.
Back to top
The swift and significant shifts of 2020 have pushed companies to think differently about risk. In a recent report, 68% of senior leaders surveyed said that the pandemic exposed new risks and vulnerabilities that require a significant change in how they think about the future.
One of those changes should be a deeper focus on building a risk culture – an area many companies still view as a low-priority agenda item. In a 2019 global risk management survey, only 20% of risk managers said they use risk modeling, and 10% said they have no formalized process in place to identify risks.
Organizations can measure their risk maturity across specific parameters to understand which areas they should prioritize — a crucial step for organizations operating in an environment where cost management is critical. Analyzing maturity can also help firms understand where their gaps are and what roles each person in an organization should play in risk culture. By doing this, the payoff is clear: Research has shown there are strong relationships between an organization’s Risk Maturity Rating and its performance. Organizations with higher risk maturity generally see stronger stock-price performance, reduced-stock price volatility over time and stronger return-on-equity performance.
Companies can create a framework for action focused on several core areas:
Click icons for more information
Risk needs to have a seat in the C-suite. Risk managers should liaise with executives to understand business strategy and connect objectives and desired outcomes to risk strategy. Senior executives should also help facilitate key risk management processes.
In addition to senior executives, a mix of key stakeholders, such as board members and employees from different business units, should participate in developing risk management strategies, processes and policies to ensure ownership and accountability exists across the business. Setting regular times for stakeholders to convene will facilitate better communication and provide greater visibility into risk issues. It’s also important that risk leaders make clear which risks affect each business function so that buy-in and participation come from across the organization.
Most companies’ risk plans break down because there isn’t enough ownership and accountability both at the leadership level and on the frontline. All employees need to understand their role in risk management. Risk leaders should provide regular trainings, risk summits and briefings to employees to create a shared understanding of risk and expectations.
Creating a risk management mindset and promoting best practice risk management behaviors across the organization is important – every employee should be able to make decisions through the lens of risk. Because many companies fail when there isn’t accountability across the organization, continually reinforcing those mindsets is critical. To that end, companies should have rewards and incentives for compliance built into their organizational structure, and provide ongoing training and education for employees. Many companies turn to change management processes, including this four-part influence model, to help increase the likelihood of success in changing mindsets and behaviors.
Mindsets and behaviors
Risk-based decision making
Companies need to incorporate risk considerations into decision making and governance. They should use data on financial, operational, and reputational risks to fully understand the impact of their business decisions. They should also use scenario-based approaches to help separate predictions or intended outcomes from actual behaviors or outcomes. This will help ensure that risk perceptions, versus actual degree of risk, don’t cloud decision making.
Transparency is a key to a successful risk culture. Conversations about risks at various levels and how different types of risk impact the organization should be encouraged. Leadership should provide honest commentary about risk and how the company addresses it. All communication related to risk should avoid jargon and use everyday language. Companies should also be thoughtful and targeted in their communications strategy, identifying the appropriate channels to connect with audiences across their organization — for instance, older employees may prefer face-to-face contact, while millennials may prefer text or email. Doing so will help ensure risk communication reaches and engages employees.
One element of a strong risk culture is the move from focusing on risk prevention and mitigation to leveraging risk and risk management options that extract value and help build resilience. Simply put, risk is part of everyday business. This proactive, strategic risk strategy requires a sophisticated enterprise risk management approach, and key tenets of risk culture can help bring it to life. When a company moves from having a reactive risk plan that results in only addressing risk after the fact, to one in which they upgrade practices to reduce exposure before a loss occurs, it can build respect and credibility with customers and peers.
In a strong risk culture, companies measure outcomes and accountability, and put routine risk reporting in place. The reporting should be shared throughout the organization for greater transparency. In addition to reporting on what has been done and quantifying mitigated risk, the reporting should unveil areas for improvement and opportunity to strengthen the risk strategy. Companies can use a number of reporting tools that provide customizable reports to gather the information they need more quickly and methodically.
Monitor and move with agility
Risks vary in terms of types; an approach to natural disasters, for example, looks
very different from an approach to cybersecurity. As such, the more firms can calibrate to the current environment, the better. For example, cyber risk models may be
up-to-date, but many companies haven’t factored in the giant work-from-home sweep that abruptly took place in 2020. Companies need to have an agile posture when it comes to risks, which are constantly evolving. To achieve that, they should have a continuous monitoring process, pulling data from a number of sources, and a flexible risk management operation that allows leaders to shift course quickly when needed.
As the risk environment changes, companies should implement a strategic enterprise risk management approach that helps them mitigate risk and create value. To make that a reality, all companies should focus on building a strong risk culture with buy-in and support from the top down.
Data and analytics
Companies should take a data-driven approach to identifying existing and emerging risks. They can use both internal and external data to monitor potential disruption in a number of areas. Some examples include using catastrophe models to understand exposure to climate risks and AI-based tools to monitor customer-complaint data. Such data will also help firms determine their risk appetite and implement risk-quantification tools. Companies should invest both in data and analytics capabilities and platforms that aid in uncovering insights.
Firms should also rely on scenario-based information, which can provide context to data by developing different scenarios as to how risk could play out. For example, if an office is in a floodplain, scenarios could include moving the office, reinforcing it with flood-proofing, or doing nothing and potentially needing to rebuild the office in the event of a loss.
Risk cultures are most effective when there is a strong governance and accountability structure in place, built into the overall organizational and managerial structure. There should be appropriate influence and responsibility at each level. A sample structure could look like this:
Board of directors
• Reviews and confirms risk
management policy and
• Develops risk appetite
consistent with operating
• Oversee risk management
• Reviews and confirms
organization’s risk profile
and risk appetite
• Aligns risk governance with
overall strategy and
• Accepts ultimate
responsibility for overseeing
• Determines risk management
• Allocates resources and
monitors risk management
• Discloses key risks and risk
• Confirm risk management
• Identify and implement
• Provide internal oversight,
expertise and training