What is Risk Culture?
Risk culture is the environment in which the risk management system exists. If the environment is not supportive and there is not a good level of buy-in from people in our organisation, then the system will not operate to its maximum effectiveness. If it is compromised to such an extent that it is only partially effective, it brings very limited benefits. In this environment, risk management is very much a box-ticking exercise with elements in place but no conviction or commitment that it is benefitting our organisation. It is a major waste of effort and energy to produce a hollow risk management system.
Getting to a Supportive Risk Culture
Much of risk culture is common sense – we all know if the attitude and approach are not right, then whatever system that is implemented will not work well. So, what are the key takeaways that will help to give us a good risk culture in our organisation?
Firstly, the board and management need to have an awareness of the risks facing our organisation to successfully deliver on its goals and objectives. They also need to know their key role in protecting the organisation from these risks. This means that they need to be active participants in risk management supporting the implementation and maintenance of good risk management systems and not passive onlookers.
Secondly, risk management should be a component of all our business decisions. That is not to say that all risk can or must be removed – everything we do carries some level of risk. But the key is that we factor this risk awareness into our decisions and actions. If the risk is acceptable, we may decide to proceed with the action; if it is not acceptable, we may decide not to take the action or we may amend our decision to reduce or mitigate the risk. The key point is that we are experiencing risk management in our daily work lives.
If the board and management champion this approach, then a risk culture supporting good and effective risk management practices should be fostered throughout our organisation.
How can this be delivered in practice? In his book, Fundamentals of Risk Management, Paul Hopkin identifies five elements which need to be in place to achieve this strong risk culture; these are shown in the table below along with what each should mean in practice.
Organisations should benchmark their approach to risk management against these five elements and see if there is room for improvement. Ongoing activities embracing these elements demonstrate a strong commitment to risk management.
This should achieve the good risk culture which will make our risk management even more successful!