Embedding an Enterprise Risk Management CultureSentinel Africa
Just because we see no evil, hear no evil, or speak no evil does not mean evil ceases to exist.
The same can be said about our risk environment. We are ever surrounded by risks and we need to build a culture where risks are freely discussed and debated if we are to survive.
What is Risk Culture?
The term has not been conclusively defined. However, starting from the basics, culture is defined as a set of values, beliefs, knowledge and understanding shared by a group of people with a common purpose. Culture comes from repeated behavior. Thus, risk culture can be a repeated behavioral process of risk management. While many take risk management as an event, filling those dreaded risk registers with the critical, high, medium, low rating and filing this for the next compliance session a true culture is more than that. True risk management emanates from clearly defined organizational objectives that specify where and how the organization will meet its goals and understanding the uncertainties that matter.
That said, how then do we establish a culture of risk management?
- Make risk management a priority. When was the last time your management team sat to discuss risk management as part of their strategic planning? Was both the upside and the downside risk discussed? Any follow through action? Making sure risk is well understood at top management allows the culture to cascade across the organization.
- Ensure proper communication.Information asymmetry surely caused many a company death, with wrong decisions taken either from the strategic, tactical or operational level. Creation of effective channels of communication where staff from all levels can freely share updates on risks is essential so that the requisite action is taken when needed.
- Data driven decisions. The only way to know where you are going is to know where you have come from. Strive to measure and monitor what’s important so as to clearly analyze the uncertainties that matter.
- Make risk management part of all the organizations activities. Can we have risk checkpoints during each new project engagement? What about during updates to objective setting? A review of policies and procedures to embed elements of risk and an increase in frequency on risks management training and awareness campaigns for staff is essential to simplify and integrate risk in all organization-wide processes.
In conclusion, every organization is in a risky environment, and as J.R.R Tolkein said “It does not do, to leave a live dragon out of your calculation if you live near one”. Have a risk management woke day!
Would you be interested in making your staff risk aware and embed a risk culture across your organization? You can check out our Training course information for ISO 31000 Lead Risk Manager, where you will be able to gain comprehensive knowledge on the best practice used to implement a Risk Management framework that provides the foundation for designing, implementing, monitoring, reviewing and continually improving a Risk Management process in an organization.