While seemingly cliché, the saying “everyone is a risk manager” is simple but absolute. An organization is run by its people and their knowledge in managing risk is a key component to strategic business planning and success.
But the concept of a risk-aware culture did not really take shape until a little over a decade ago. The risk model and how to effectively manage risk is always evolving and has seen significant advancements through the years. In the early 2000s, financial risk was at the forefront when the Sarbanes-Oxley Act was enacted and organizations began to establish the three lines of defense model. When the Great Recession hit, new regulations and requirements were enforced and organizations re-evaluated how they could apply the earlier key elements of the risk governance model. As we moved toward the end of the Great Recession, we saw more companies focusing on credit, third party and cyber risk management, as well as how to better integrate and aggregate risk activities across the organization.
While we started to see risk-aware culture emerge after the Great Recession, it has taken time for this to be fully embraced by organizations. Risk-aware culture can sometimes still be seen as more of a segregated model–there is the business and, and then there are the people who are responsible for monitoring risk and developing risk practices and frameworks. The key to a successful three lines of defense is actually how the teams work together—how they partner and leverage the expertise from each area to create a stronger and more sustainable risk infrastructure.
In the last few years, there has been more integration of a risk-aware culture with all three lines of defense and the business areas. When implemented successfully, an organization “talks risk” in business terms. There is one language and a better shared understanding. The enterprise risk management teams are viewed as advisors and are aligned with each business area to strengthen risk management practice and behaviors. The following are some key pillars for building a strong risk culture.
Starting at the Top
Establishing a risk-aware culture needs to start at the top. It is critical that management, the executive level and the board understand that developing or strengthening a risk-aware culture is a necessary and important function. The concepts of risk and the ideas need to be reiterated as the core foundation of the organization.
How you implement a risk-aware culture is also dependent upon all the boots on the ground. It is about the people who are running the day-to-day, and how they think and operate, so you have to attack it from the grassroots as well, in order to be successful.
Communicating risk to the organization should be consistent and shared by leadership to engage employees. Communication is particularly important as many organizations have moved to a hybrid/remote work model and growing this aptitude and culture needs to be approached from different angles. These communications should be coming from non-risk leaders too because it demonstrates that executive leadership supports the risk culture and that the foundation permeates all levels of the organization.
Making Risk Management Real and Easily Understood
Risk management concepts and practices need to be accessible and pragmatic. One of the most important principles in building a risk-aware culture is to convey the concepts of risk so that people not only understand it, but how it applies to their day-to-day role. A lot of times risk practitioners get caught up in textbook risk management language that can confuse people. Instead, use terms that make sense to everyone and work with the business to understand why risk is important, and how they mitigate risk. People need to understand why what they are doing is important and what the real magnitude of a risk is in order to sustain sound mitigation practices. It cannot be a check the box activity.
If you have a second and third line of defense that only speaks textbook language to the business, you will not be successful. The business does not always think in terms like “risk and control self-assessment” but they know risk principles. They know that if payroll needs to be out by Friday, data needs to be in, reconciled and approved before files can be sent. They understand that managing cash and executing payroll are higher risk activities. There is risk of fraud and financial loss can occur if not done correctly. They understand the concepts and what needs to be done in terms of executing controls. We do not need to articulate using fancy words and it does not need to be complicated. Communicating in a streamlined and simple manner often builds efficient operations and the strongest risk management foundations.
Rewarding Employees
Be an advocate for positive reinforcement. When someone successfully raises their hand and identifies an issue, celebrate that behavior as an accomplishment. This is very important to sustaining a meaningful risk culture. Rewarding active and visible examples of risk management best practices helps recognize employees while leveraging those examples as learning opportunities for others.
Risk management should be embedded as one of every employee’s performance management goals. Everyone needs to know that their roles support a strong risk culture.
Training is also essential on all levels of the organization, not only at onboarding, but periodically repeated at least annually as a consistent reminder. It is important to develop risk management awareness and to ensure the organization is evolving as new practices are introduced and the organization matures its framework and processes.
Measuring Progress of Risk
When establishing baseline processes, the structures you put into place are your measurement vehicles. For example, issue remediation, risk assessments and control performance are data driven points leveraged to determine how the risk environment is doing and whether it is improving or degrading.
From a qualitative perspective, it is about the dialogue and feedback between regulators, the board and other leaders in the organization. Risk can never be eliminated, but it can be managed effectively. There will always be challenges and something to work on within an organization. So when you hear that the business is able to take the lead on something and articulate the risk to the board or management about how the issue will be remediated, you know you have been successful in helping to build out the risk culture.
Developing risk awareness and a strong risk-aware culture takes time and is a process that relies on continued commitment and continuous improvement. Once the foundations are in place and managing risk becomes part of an organization’s DNA, the ongoing strength of operations and ability to achieve objectives will be an invaluable asset for future sustainability and growth.