To understand and embed a good risk culture, your company needs:
- A committed board and senior management who recognize that risk management is a core competence of the business and not something that is delegated to the risk manager(s).
- A board that is not complacent about things going wrong and maintains a sense of vulnerability. This is a particularly important concept because it requires the board to recognize the risk of complacency setting in when things are going right.
- A recognition that risk management is not just a regulatory requirement but an essential element to achieving business success.
- No witch hunts when things go wrong or when people whistleblow, i.e. the matter is treated ‘fairly and justly.’
- A challenge process about risk management matters that is actively encouraged.
- Clear risk policies, processes, responsibilities, i.e. all the hard factors of risk management, are in place.
- Appropriate HR practices that recognize good risk management practices and address bad ones.
- A good ‘risk radar’ that is constantly monitoring the internal and external environment for things that could go wrong.
- Shared values vis-à-vis risk management.
All of these factors will help to inculcate the importance of risk management across the organization, which in turn will drive behaviours aimed to mitigate people People Risk. These behaviours can be reinforced at all levels in the organization by taking active steps to ensure that people understand the part they have to play in managing risk. This is no more so than when it comes to individuals making decisions, even mundane ones, where risk is an important element that always needs to be considered. Just as marketing is everybody’s business, so too is risk management.
This is an extract from Chapter 7 of People Risk Management by Keith Blacker and Patrick McConnell. For more content from these authors, take a look at this blog on people risk management and managing the human factors that may harm your business.