Friday, November 29, 2013

Risk-Intelligent Culture

Risk-Intelligent Culture shapes Digital Enterprise.

Risk-awareness culture, which in practice means a culture where thinking about managing risk as part of "how things get done around here”. What is the importance of risk-awareness culture in order to successfully implement, support and sustain risk management? Without a strong risk-awareness culture, you will be unable to accomplish much in the way of a successful risk management implementation. Even step further, how can organizations capture opportunities from risk, and move up from risk-awareness to risk-intelligence?

1. Tone at the Top 

Tone at the top: This is a make-or-break and goes straight to culture, the starting point would always be to get an understanding of current attitudes to risk management at all levels, from senior executive team to front desk, and use the results to decide how to build a stronger risk-awareness culture.

The top issue is having a strong, independent and inquisitive Board that has control over management  not the other way around. The risk-awareness culture is indeed important but it may not give you the full picture unless you also analyze the risk attitude of the top management...
1) Oversight organizational culture and governance, risk management
2) Clarity of the assessment structure and objectives
3) Ensure the sufficient resources to execute

Fitting in the culture gives different results than living it. Risk is too abstract a concept for many to relate to. Try as one might, instituting a risk-awareness culture is just one more silo and administrative requirement that people often feel they need to deal with rather than embrace. Here must be awareness from all people overall organization. Top management commitment is also important to build risk awareness culture successfully. All people must support it if they want to create risk management effectively in organization.
1) Senior management buy-in and sponsorship
2) Ownership and accountability at all levels
3) Non-retribution policy for risk identification and reporting

2. Enterprise Opportunity Management

 From ERM (Enterprise Risk Management) to EOM (Enterprise Opportunity Management): As organizations are at the journey for digital transformation, even having a risk-awareness culture is not strong enough to adapt to the changes, at higher mature level, risk-intelligent culture needs to be cultivated, as every risk has opportunities in it, and every opportunity has risks with it. Therefore, Enterprise Risk Management has to be expanded into Enterprise Opportunity Management.

Build Effective Communication Strategy: The key is for the risk management team to understand how different silos/departments are and manage the tailored solutions. It’s important that risk managers compare their expert understanding of organizational risk with what is known, not known, or misunderstood in various silo/departments. Then effective communication strategies can be put in place to bring different perspectives into greater unison, which is an important part of improving communications and achieving risk-intelligent culture. The "experts" often learn quite a bit about their understanding of risk in this process as well.

Using Same Common Language: A major part of the challenge in getting thinking about risk management embedded in the culture is being able to help people at all levels understand risk issues by using language that makes risk management clear & relevant to each individual.

Tried & true WIFM principle: If you can't answer the “What's In It For Me” question when trying to engage people in thinking about risk, then it will continue to be regarded as "something done at headquarter" or  seen only as a compliance issue at operational level. In fact, Risk Management needs to be well embedded in all key business processes, and it becomes opportunity management, as statistics shows that organizations with high mature risk management practices can achieve 20%+ more revenue increase than laggards.

3. Risk-Awareness Culture Issues 

Following are some of the other important risk culture issues:

* Consistency of direction from management

* Employees' awareness of short and long-term objectives and strategies

* Alignment of objectives between business units and corporate

* Clarity of individual accountability for objectives

* Employees' understanding of policies

* Management's receptivity to messengers of bad news

* Employees' level of understanding of risk

* Management's emphasis on risk management and control

* Availability of processes to manage change

* Effectiveness of controls

More information on risk culture assessment 

Culture is the collective mindset, behavior, and business brand; therefore, it takes collective effort from top-down to bottom-up, effective strategy and efficient mechanism to cultivate a risk-intelligent culture, which is one of key factors in running a high performance business.


Risk management attempts to plan for and handle events that are uncertain in that they may or may actually occur. These are surprises. Some surprises are pleasant. We may plan an event for the public and it is so successful that twice as many people attend as we expected. A good turn-out is positive. However, if we have not planned for this possibility, we will not have resources available to meet the needs of these additional people in a timely manner and the positive can quickly turn into a negative.

Post a Comment