What is risk culture and how do you build it?

Written by
RMI Team (F)

If you’ve researched how to mitigate business risks, you’ll likely have come across the term “risk culture”. Any experienced risk management leader will tell you that risk culture is one of the most underrated and commonly overlooked elements of a company’s risk strategy. While structural implementation and operation of governance, risk and compliance frameworks is important, these frameworks can easily fail in the absence of a strong risk culture.

But what exactly is risk culture? According to Deloitte, risk culture “encompasses the general awareness, attitudes and behaviours of an organisation’s employees towards risk”, and covers organisational values, norms, beliefs and habits related to risk. It is also a key indicator of how successfully an organisation’s risk management policies and practices have been adopted by their workforce.

In an organisation with a strong risk culture, every employee takes personal responsibility for managing risk in all they do. This enables them to make the right risk-related decisions, exhibit appropriate risk management behaviours, and encourage others to do the same on a daily basis. It motivates people to respond appropriately to a problem event or issue, and can be deciding factor between whether or not an employee commits fraud.

While risk culture is dependent upon people, including their behaviours, attitudes and assumptions, it can still be shaped and strengthened by the right policies and processes.

5 actions leaders can take to help build a strong risk culture

1. Be proactive, not reactive

Risks are emerging all the time, so don’t wait till you’re in the middle of a crisis to develop an emergency response plan. Because proactive risk management requires constant and consistent re-evaluation and redesigning of existing business continuity plans and response programmes, it ensures that the organisation always stays up-to-date on current and future risks. This also means that merely being compliant is no longer enough – business leaders need to consider future risks beyond what is covered by existing regulations.

2. Raise awareness through communication and training

Employees sometimes don’t realise the risk impact of their actions. This is why consistent communication and training regarding risk management processes are so important. Providing frequent, detailed risk training for employees not only heightens their understanding of the various risks that the company is exposed to, it also equips them with the right tools to monitor and respond appropriately. Furthermore, it ensures that risk management is always top-of-mind.

3. Put your money where your mouth is

Business leaders who invest in risk management training, programme development, or technology send a message to employees that risk management is highly valued and prioritised in the organisation. This top-down commitment reinforces the formation of good risk-related work habits in employees, even if they don’t think anyone’s watching – especially important in the age of remote and hybrid work.

4. Build channels for bottom-up communication

Clear processes need to be put in place to encourage employees to report high-risk events and give them a defined path for escalation where necessary. To encourage participation and open discussion, risk incidents should be seen as learning opportunities. This means that primary focus should be pinpointing vulnerabilities as a means to implement changes that strengthen risk management – disciplinary action or assignment of blame should be separate matters, and organisations can even consider establishing a “no blame” culture when it comes to disclosing and accounting for risks. This is closely related to the importance of psychological safety in building a collaborative and high-performing team.

5. Emphasise due diligence

If an organisation ensures that no project is approved without proof of sufficient risk identification and analysis, it naturally sets an expectation that employees are responsible for researching and managing risks in all they do. Soon enough, due diligence and care will become an automatic part of every employee’s work process, whether they’re in the front office verifying a customer’s identity, or in the back office processing a payment.

Risk culture forms the foundation of all risk management strategies

Want to improve your risk management performance? Start by taking a good hard look at your organisational risk culture. Because of the way it permeates all levels of an organisation, risk culture is often seen as the glue that holds all elements of the risk management infrastructure together. Without an effective internal environment that nurtures, encourages and rewards risk-mitigating behaviour, it becomes all too easy for risk mitigation frameworks to fall flat.