The risk culture: What to do, what not to do.
The risk culture is how an organization deals with risk. It needs to be embedded in the organization’s behaviours.
What is the Risk Culture?
In our previous article, we started to introduce the notion of risk culture. Defining it would be a bit trivial as the words speak for themselves.
However, introducing the risk management, based on a wrong risk culture can lead to the opposite effect to the one sought. By nature, an enterprise needs to take risk to evolve. Earth is turning, times change and, if a company does not take any step to evolve, it runs the risk of disappearing. So, taking risk is a necessity.
I have seen organizations that have not taken any risk, because money was flowing in without much efforts. Those usually wake up, too late, with entrants in their market threatening their position.
I have seen companies that, after a crisis, put so much emphasis on the avoidance of negative risk, that their all evolution process has been blocked.
Where do these situations come from? Usually, it comes from a senior management decision. It rarely comes from a collective and unconscious decision of all people working in the company, at least in the initial stages.
The importance of the Tone at the Top.
This is why the “tone at the top” is very important in the risk management context. And in this “tone at the top” factor, the most important part is the actual behaviour of the senior management towards risk management. A clear understanding of the risks of the company, a constant follows up on them, a constant dialog over it with the people actually doing the job, the recognition of both threats and opportunities, the management of both threats and opportunities are the key traits that influence the risk culture.
How do we give some formality to the risk culture?
Next to this behavioural dimension, the company also needs the ad hoc governance, policies and procedures to manage risk. To the risk of repeating myself, this formalism must be fit to the organization and make sure it does not paralyze it. This formalism is also evolutive as the company changes and its environment changes.
Finally, to the risk of sounding simple, the risk culture is introduced and maintained through regular communication around risk. Depending on the topic and the organization, this communication can be formal, or not, in writing or verbal. This element is probably the most important one with the behaviour aspect at the top of the company.
In our next article, we’ll discuss briefly about the governance of a risk management process.
Co-Founder & Partner
After 13 years as CFO of The Bank of New York Mellon, I had several positions that allowed me to cover a wide range of topics: general management of entities, Risk and finance management, corporate taxes, supervision of IT and operations, accounting, budgeting, creation and restructuring of legal structures, regulatory reporting, acquisition of companies, operational statistics, and management accounting.
My strengths are in Finance and Risk Management