43 Ways to Create a Positive ‘Risk Culture’

Corporate - Articles, Risk Culture

43 Ways to Create a Positive ‘Risk Culture’

There are several risk management solutions that organisations can implement to strengthen their organisational culture to create a positive ‘risk culture’ outcome.

These organisational practices include:

  1. Create an accountable organisation.
  2. Implement the appropriate organisational design.
  3. Create awareness of the strategic benefits of risk management.
  4. Create an effective risk governance structure.
  5. Create an effective risk function.
  6. Hire the right personality to head the risk function.
  7. Create a just and psychologically safe culture.
  8. Formalise informal risk communications.
  9. Create clear escalation and reporting pathways and trigger points.
  10. Simplify risk management tools, activities, and processes.
  11. Peel back over-engineered risk management activities and processes.
  12. Simplify decision-making.
  13. Use heuristics instead.
  14. Use simple leading performance indicators.
  15. Use a balanced set of key risk indicators.
  16. Define the boundaries for risk-taking and opportunity-seeking.
  17. Create the right balance of summarised and detailed reporting.
  18. Contextualise risk reporting with performance information.
  19. Create a common language for risk.
  20. Create a common language for controls.
  21. Create a common language for causes.
  22. Focus on forward-looking risks.
  23. Create time and space for intentional one-to-one interactions.
  24. Create space, time and permission for quality reflection, introspection, and learning.
  25. Create risk safe zones for open risk discussions.
  26. Create ‘in-camera’ sessions with board members.
  27. Don’t fall for dominant executive personalities.
  28. Reimagining risks as potential opportunities.
  29. Integrate your strategy and risk decisions.
  30. Boards should adopt the 75:25 rule.
  31. Create standing agenda items for risk and performance at meetings.
  32. Conduct a ‘deep dive’ analysis of risk.
  33. Use failures as feedback.
  34. Use practical examples and storytelling.
  35. Build a network of risk ambassadors.
  36. Focus on user experience and value add.
  37. Encourage reporting and escalation of risks.
  38. Encourage whistleblowing.
  39. Risk-taking behaviours rewarded or challenged.
  40. Risk management skills are valued, encouraged, and developed.
  41. Regular challenging of the status quo from diverse perspectives.
  42. Hold management to account for the closure of risks.
  43. Formalise informal risk management.

Create an accountable organisation

Organisations and management teams must be clear about what success looks like, how it’s measured, and who’s accountable for it while making rewards (and punishment) dependent on accomplishing those results.

Link accountability and reward with performance and risk management to drive positive organisational performance and success given that risk management is about the achievement of objectives.

If it is not clear who’s accountable for a specific outcome, chances are it won’t be achieved. Without clarity as to accountabilities, risks will not be identified and managed.

Accountability, empowerment, and trust must start with the Board and executive management. These go right down to every individual in the organisation. Without an organisational-wide culture of holding individuals to account and rewarding them for positive behaviours and results, organisational performance will suffer. Risk will not be identified and managed.

Empower and trust people to utilise their risk judgment and appetite to achieve the best outcomes for the organisation. This creates agility and flexibility to innovate, adapt and grow in today’s challenging operating and business environment.

Implement the appropriate organisational design

Implement organisation models and structures that will empower individuals, clarify what’s important to organisational success, and assign accountability and responsibility in a way that works for cross-functional teams, projects, and solutions.

Always start with the work itself. Determine what needs to be done to achieve the organisational vision and mission. Identify the outcomes and performance metrics that will define success (i.e., what does success look like and how do we measure success). And define the required capabilities, skills, and experiences that are needed to perform the work and determine who is accountable for the work and success.

The organisation design must excite, engage, and empower people and teams; to give them a sense of autonomy, accountability, and ownership, and encourage continuous creativity, growth, and flexibility.

There is agility and flexibility in delivering the agreed outcomes when there is accountability, autonomy, and ownership.

Create awareness of the strategic benefits of risk management

Risk and risk management are not always viewed positively.

While regulation and compliance remain key drivers for board-level involvement in risk management, it is vital to create awareness of the strategic benefits of risk management in helping boards and managers exploit opportunities to exceed their stated objectives.

Create diversity in boards’ risk skills, knowledge, experience, education, and training. This helps to develop a collective consciousness that allows a board to identify changes in risk exposures and respond appropriately.

Set a consistent ‘tone at the top”

Boards and executives should be mindful of the interrelationship between the embeddedness of risk in their discussions and decisions, and its embeddedness in the organisation itself.

Consistently committing resources and setting the ‘tone at the top’ will go a long way in creating and sustaining a positive ‘risk culture’.

Create an effective risk governance structure

Boards create governance structures and use committees (e.g., risk, audit) to best support their decision-making and oversight over strategic matters and risks without delegating their accountability. They establish clear and transparent lines of communication between themselves their committees, and the subject matter experts supporting those committees.

The risk committee can act as a filter for the board. This enables a more succinct and strategic discussion to take place at the board. The committee chair distils the key points from the discussion to the board. Through the active role of the chair, scrutiny of risk areas and even emerging risks takes place.

Create an effective risk function

Create a forward-looking risk function that is focused on trending or emerging strategic issues and risks in addition to being a ‘trusted friend’ to Line 1 business owners.

Depending on organisational requirement and design, the risk functions can play one or more roles from an organisational design perspective – as a business partner (Line 1 role), an overseer (Line 2 role) or an independent facilitator (Line 2 role).

Use tools like scenario planning to overcome the potential failure to take known risks into account.

Hire the right personality to head the risk function

Personalities matter in performing successful organisational roles. Without the right personality or person that can deliver the intended purpose and direction of the risk function, it is going to be difficult the set the right foundation for organisational success.

If the focus of the risk function is to be an independent facilitator, hiring an introvert or a hard-nose person in the role of the Chief Risk Officer can be counterproductive.

Worse still, combining the risk and audit functions under a Chief Risk and Audit Officer can also be counterproductive in many instances. A career auditor cannot effectively have forward-looking risk conversations while generally looking back with a stick in hand.

No business owner will open up in frank discussions with an auditor knowing that their actions will be audited and reported in the future!

Create a just and psychologically safe culture

Create a culture, or even a just or psychologically safe culture, in which people sincerely believe that it is right to communicate problems promptly to the next level of management without fear of an aggravation of the problem.

People need to feel psychologically safe to report and escalate risky decisions, concerns, or even poor behaviours without fear, favour, incrimination, and retribution.

Give Chief Risk Officers decision-making powers and veto rights over transactions considered too risky rather than passively monitoring risk measurement and analysis. Diversity in decisions is important for complementary teams.

Formalise informal risk communications

Outside formal reporting mechanisms, boards establish lines of communication between the executive and non-executive board members, as well as between board members and sub-committees, that will enhance deeper and meaningful risk discussions at the board level.

Given the effect of static risk data and organisational complexity on decision-making within the boardroom, risk committees create a vital conduit and interaction through which there is timely flow and filtering of relevant information to the board.

While the information may not be accurate or complete, it has to be timely.

Create clear escalation and reporting pathways and trigger points

Proactive escalation, reporting and communication are far better than unpleasant surprises that can require costly corrective actions in the future.

Develop and implement clear trigger points or business rules for escalating risks, issues and concerns up the organisational hierarchy. This is part of the escalation procedures that include defined escalation and reporting pathways.

For example, informal discussions with team members reveal widespread dissatisfaction with pay, terms, and conditions among staff across the organisation. The threat is escalated to the HR department.

No matter where the person is in the organisational chart, they must know how and when to escalate and which pathways to use. They also need to know what issues should be raised, to whom and within what time frame. This avoids the failure in communicating risks and issues to top management.

To make risk escalation work, we need clear thresholds between the different levels in the organisation. Everyone knows where each risk belongs, without confusion or ambiguity.

Regardless of where a risk is identified, it needs to be managed at the right level. This is defined by measurable thresholds based on the objectives that would be affected if the risk occurred.

Having identified the right level at which the risk should be escalated, the manager needs to communicate the risk to the new risk owner and ensure they actively accept responsibility for its management. At this point, the risk can be removed from the risk register and entered into the risk register at the level where it belongs.

Risk escalation works best when these factors are in place:

  • Open culture that encourages sharing of information across departments and organisational levels.
  • Risk information and discussion are on the meeting agenda at all levels of an organisation.
  • Organisational members acknowledge that risk management processes at all levels are sources of valuable information relevant to decision-making.
  • Employees and mid-level managers understand that they may be sitting on the only source of risk information.
  • Attention is given to how risks are communicated (i.e., format, length, language, etc.).
  • Positively acknowledge every risk that is escalated (i.e., saying “Thank you”).

Simplify risk management tools, activities, and processes

Co-develop and implement simplified and user-friendly risk management tools, activities, and processes with active input from users. This will significantly improve employee experience and formally increase the likelihood of ‘doing’ risk management – they want to rather than have to do risk management.

This co-design and co-ownership will create a positive ‘risk culture’ for the organisation.

Peel back over-engineered risk management activities and processes

Risk management activities that are onerous, complex, over-engineered, time-consuming, and non-value-adding to the user will achieve very little other than they are viewed as a form-filling compliance exercise.

This can create the perception that the risk function is administrative, focusing only on processes and compliance rather than strategic and the substance of the risks. It will also create a perception that the risk process is for compliance and will not add any value to the outcome.

Simplify decision-making

Simplify overly complex and bureaucratic decision-making processes that can slow the detection of risk failings.

Focus on timely decision-making and just decide rather than procrastinating.

Learn four things from Jeff Bezos’s approach to making decisions under risk and uncertainty:

  1. Focus on decision velocity to drive innovation. Speed matters to your future success.
  2. Make decisions with 70% of the information you wish you had. Perfection kills. Aim for ‘good enough’.
  3. Most decisions are easily changeable and reversible. Don’t be paralysed with indecision. Delegate always.
  4. Disagree and commit to a decision. Take immediate action. Agree to disagree, support, and move on with your decision.

Use heuristics instead

Heuristics have the power to deal with complex situations such as risk and uncertainty. Simplicity allows heuristics to be used as risk management tools by organisational members at all levels within an organisation.

Most problems can be addressed using rules of thumb developed through experience.

Use simple leading performance indicators

Find only one key leading performance indicator for your business that will flag potential risks.

The Board chair of British Airways only focused on the on-time departure performance indicator as the most critical measure of success. This focus helped turned around the ailing airline in the 1980s. All other measures contributed to or supported this one key metric.

Simple indicators often outperformed more complex metrics in predicting individual bank failure during the global financial crisis. These indicators are simpler and easier to understand, communicate, and operationalise.

Develop capabilities to provide early warning notifications and escalations. Create a digital roadmap that embraces advanced analytics and leading technology for greater precision and accuracy.

Establish processes to run simulations and scenarios to inform and prioritise risk mitigations.

Use a balanced set of key risk indicators

A generic balanced scorecard translates an organisation’s overall mission and strategy into specific, measurable performance and risk indicators and measures across four perspectives:

  • Learning and growth for employees
  • Internal business processes
  • Customer satisfaction
  • Financial performance.

Focusing more on leading rather than lagging performance and risk indicators, the four balanced scorecard perspectives provide a framework for looking at different risks in each category. This prevents a blinkered focus on just financial performance. It promotes a wider view encompassing other strategic dimensions that span the full spectrum of an organisation’s activities that enables organisations to track and report on their performance against strategic goals.

Risk indicators can be qualitative or quantitative information that monitor identified risk exposures over time.

Assign upper and lower acceptable risk limits (warning thresholds) for each strategy-linked performance and risk indicator. This allows management to track the evolution and trends for each risk and key risk indicator that relates to the performance and achievement of organisational strategy.

These boundaries for risk-taking and opportunity-seeking are based on the organisation’s risk appetite and tolerance. Risk appetite is the amount of risk the organisation is willing to accept to achieve its objectives and risk tolerance is the acceptable deviation from the organisation’s risk appetite.

Define the boundaries for risk-taking and opportunity-seeking

No business can thrive without taking on risks.

The Board and management must know beforehand the organisation’s capacity for risk-taking and opportunity-seeking in line with its overall business strategy. The 2009 financial crisis clearly showed that executives’ risk appetite is often not defined or aligned.

A key benefit of deploying a risk appetite framework is that risks are identified and quantified in a structured way that aligns them to the organisation’s business objectives and strategy. Trade-offs between risk and reward are made upfront.

Consider whether the board’s risk appetite determines strategy, or whether decisions about strategy lead to how the organisation frames its risk appetite.

Create the right balance of summarised and detailed reporting

Lengthy and detailed risk reports and insufficient time devoted to risk management at board meetings can create significant challenges for board-level risk-management activities.

Provide the right level and depth of performance and risk reporting based on the balanced scorecard approach.

Create the right balance of summarised and detailed performance and risk reporting that is required to help boards and management teams make strategic decisions. Include metrics and analysis of customer complaints or customers with extremely negative experiences, details on the risk profile of the organisation and the trajectory of risks or new and emerging risks.

Contextualise risk reporting with performance information

Risks must be discussed within the context of organisational performance, especially concerning the achievement of key performance targets and organisational objectives.

If the organisation is achieving its performance targets and has high or critical risks in some areas that are directly linked to the performance itself, the organisation is likely taking the right risks to achieve its objectives.

Just because the risk is rated ‘high’ is not necessarily a bad thing, especially if the organisation is seeking out the right opportunities to be successful in the long term.

It is a bad thing to implement controls that will stop good performance just because a risk is rated as ‘critical’. Presenting or discussing risk information without understanding the performance level and issues is unhelpful and could even be destructive or counterproductive.

Create a common language for risk          

Eliminate information silos and redundant data entry and increase management accountability by creating a single universe of all risk, controls, and causes.

Standardisation is key when identifying risks. Having an organisational-wide risk universe allows different business units to communicate uniformly. It facilitates your ability to identify risks and prioritise based on criticality.

Rather than listing all risks in risk registers, a risk universe consists of the different categories of risk that could affect your organisation on every level. Anything that could harm your organisation’s ability to function and achieve its objectives is encapsulated in your risk universe.

Strategically classifying all risks according to categories can help organisations better develop an effective risk prevention strategy and prioritise risks that require the most attention.

A risk universe can:

  • Provide consistent language for risks to be effectively communicated.
  • Assists with the consistent aggregation and roll-up of information when reporting to management and various risk committees.
  • Aggregate and better manage enterprise-wide risks across business units.
  • Function as a checklist to drive the comprehensive identification of risks.
  • Identify the trending of risk over time.
  • Minimise time or wordsmithing when describing a risk event.
  • Drive structure for multiple risk management tools such as controls library and control self-assessments.

Create a common language for controls  

In complementing a risk universe, create a comprehensive control universe that seeks to map various control landscapes within the first, second and third-line functions. Link them to:

  • Risk information (i.e., risk appetite, risks, controls, key performance indicators, key risk indicators, key control indicators, scenarios, losses, etc.).
  • Organisational structures (business units, legal entities, etc.).
  • Business objectives (financial performance indicators, performance goals, strategic objectives, etc.).
  • Compliance mandates (areas of compliance, requirements, standards, policies, etc.).
  • Audit constructs (audit entities, findings, work papers, etc.).
  • Legal information (cases, incidents, etc.).
  • IT assets (assets, threats, vulnerabilities, etc.).

The control universe can be used by all the three lines of defence functions as a single source of truth. It gives management sufficient visibility of thematic control issues facing the organisation.

A control universe can:

  • Improve internal communication.
  • Provide tried, tested and implementable solutions that reduce overlapping control activities and leverage better practices.
  • Enhance control testing using different control testing methodologies.
  • Allow the organisation to probe more deeply into emerging themes.
  • Prioritise efforts and allow both reactive and proactive approaches.
  • Provide a justification where future internal audit recommendations are not accepted or actioned.
  • Improve the relationship with regulators and oversight bodies.

Create a common language for causes     

Additionally, create a cause library of key possible causes that can lead to a risk event.

Adding causes to the cause library helps to identify the reasons for a risk event. This help prevents future events.

It also helps with risk analysis, risk prediction, and risk prevention, especially in revealing common risks that do affect multiple business areas. This makes prioritisation systematic.

Focus on forward-looking risks

The use of risk registers can be seen as a ‘tick-box’ exercise that is characterised as compliance, as opposed to one of many sources of information pertinent to strategic decision making.

Organisations can get lost in the detail, especially from operational issues arising from the risk register. They can become overly risk-averse in their approach to strategic decision-making.

Therefore, move away from static risk registers that are essentially backwards looking and work towards a dynamic forward-looking view of risks (i.e., emerging and ‘moving’ risks).

Many organisations have implemented risk assessment and monitoring processes around their existing activities. But few have applied the same discipline and effort around new and emerging risks, where decisions often have the greatest impact.

Create time and space for intentional one-to-one interactions

Identify key relationships where one-to-one interactions occur.

These interactions include:

  • Board chair and CEO
  • Risk committee chair and CEO
  • Risk committee chair and CRO

Create space, time and permission for quality reflection, introspection, and learning

Make time for effective risk-management discussions even if it can be perceived as a bureaucratic hindrance or getting in the way of what are perceived to be more immediate board-level concerns. More so when environments are dynamic and fast-paced.

Limited reflection and learning coupled with the focus on the day-to-day can led to missing the bigger picture or full depth of risk issues, both current and emerging.

Create risk safe zones for open risk discussions

Overcome difficulties associated with enabling debates and challenges in the boardroom and management meetings, especially when discussing sensitive risks.

Create ‘safe-zone’ discussions for open and frank risk discussions where constructive dissent and disagreement are encouraged within a non-judgemental and supportive environment.

Create ‘in-camera’ sessions with board members

The ‘risk safe zone’ can be taken a step further by holding separate non-executive ‘in-camera’ sessions. This allows for the candid and transparent discussion of risk without the presence of the executive team members.

These sessions allow board members, especially non-executive directors, to meet without the presence and influence of the executive team to create a safe zone for the candid discussion of risk. This can be enhanced further by allowing board members to meet with representatives of the risk and independent oversight functions to ensure that the tone at the top reflects the tune on the shop floor.

This is particularly effective in mitigating the effect of dominant executive personalities, when a ‘command and control’ dictatorial approach to strategic risk in the boardroom may run contrary to the board’s effective performance of its assurance function.

Don’t fall for dominant executive personalities

Just because an executive is dominant or has an industry reputation, hold them to account regardless of the level of trust. It is not a question of trust but accountability.

Trusting someone to do the right thing is not the same as being accountable.

Reimagining risks as potential opportunities

Organisations pursue risks to survive and prosper. Identify positive or upside risks or opportunities instead of just negative or downside risks, or threats.

Risk can be positive (upside risk – i.e., opportunities) or negative (downside risk – i.e., threats). Treatments differ for both – either risk optimisation for opportunities or risk minimisation for threats.

Learn how to exploit potential opportunities and ask the question, What must we do right to get what we want?

Viewing risk as having only a negative effect can lead to the organisation being underprepared for opportunities and failing to deliver other priorities.

Avoid using words such as ‘risk’, where appropriate, if they have a negative meaning in your organisation. Consider alternatives such as ‘opportunities’, ‘volatility’ and ‘uncertainty’.

Integrate your strategy and risk decisions

When setting your strategy and business objectives, consider the potential for better or worse-than-expected outcomes from the outset.

Knowing your challenges upfront can help your organisation navigate the issues proactively.

Boards should adopt the 75:25 rule

Spend 75% of board meetings looking outwards and forwards. This will help the board to identify external and future threats and opportunities.

Spend the remaining 25% of board meetings looking inwards and backwards. This will help the board to understand the organisation’s capabilities, competencies, and financial sustainability.

Create standing agenda items for risk and performance at meetings

All papers going to the board and executive meetings should have a dedicated risk section within the executive summary, highlighting their risk implications for the strategic objectives of the business.

This intentionality provides visible anchor points for discussion of the strategic risk-reward equation.

Conduct a ‘deep dive’ analysis of risk

Conduct a ‘deep dive’ analysis of key strategic risks or emerging risks. This ensures that the reporting of information is tailored to the needs of the decision-makers.

Involve and solicit inputs from the experts through discussion and facilitation. Then identify, assess, and respond to risks that affect the achievement of their objectives.

Use failures as feedback

Encourage the organisation to learn the lessons from past failures. Use this information as feedback to assist the organisation in improving its approach to understanding and dealing with risk.

Translate learnings across business units in a meaningful way. Actively learn from impacted risks and near-misses.

Use practical examples and storytelling

Use hands-on practical examples to help organisational members with their risk-related discussions.

Ask people who may be more mature in risk management to provide examples of success and failure stories and share experiences with other organisational members.

The Risk Team coordinates the network of risk advisors or ambassadors to share good practices and lessons learned across operations and regions.

Build a network of risk ambassadors

Organisations may identify and train ‘risk champions’ to take the risk message forward, using the established train-the-trainer approach. This will ensure better and more focused risk identification, assessment, and treatment.

‘Risk champions’ can be of three types:

  • Official risk coordinators – Organisational members whose official duties include coordination of risk management processes within individual processes or business units. They are usually responsible for preparing information about risks, monitoring risk mitigation progress, and organising risk management events or training.
  • Informants – Organisational members who have established informal, yet trusted relationships with the risk managers. They provide information about emerging risks or changes in the organisation’s processes or risk profile. A large network of informants is critical for risk managers to stay up to date on what is happening in the company.
  • Influencers – Organisational members who support the integration of risk management principles in the organisation’s activities and processes because it makes good business sense for the organisation or them personally. They will usually participate in the Risk Management Committee meetings and will support initiatives proposed by the risk managers.

When scaling up or rolling out risk management throughout an organisation, it is helpful to create a network of decentralised risk ambassadors who will help:

  • Provide sufficient support and coordination across the organisation for risk management activities to be performed in a consistent and technically robust manner.
  • Ensure a multi-functional team approach in risk assessment and treatment.
  • Prepare and deliver training of risk management trainer programmes.
  • Reinforce ownership of risks at the level of programme staff and provide the required autonomy to focus on the key risks in the given location and/or subject area.
  • Help to define and monitor appropriate risk appetite metrics in consultation with risk owners.
  • Strengthen the message that risk management is a substance-driven need and the exercise is intended to achieve the more effective and reliable achievement of objectives.

The risk advisors can be embedded alongside the first line of defence. To maintain a degree of independence and strategic overview, they are not appointed in management or supervisory roles.

Instead, they work across all functional areas to help identify existing risks, anticipate emerging risks, and design, implement and monitor appropriate preventive measures and responses to key risks.

The risk advisors also work with relevant external stakeholders to ensure that risk management is inclusive and transparent. They also train colleagues and partners to raise awareness and improve risk management literacy and skills.

Focus on user experience and value add

Although risk management is about the substance, ineffective processes or tools can inhibit risk management from being effectively institutionalised. If operational staff feel the risk process is cumbersome or frustrating, they may be reluctant to engage.

Develop integrated processes, systems and tools that enable people to feel empowered and in control of their risks and the risk management process.

Encourage reporting and escalation of risks

Many operational and compliance issues are not always escalated in sufficient detail for the Board to fully understand, discuss and make decisions on these issues. This is where issues, incidents and risks should be identified and escalated through the organisational hierarchy. Risk information should be flowing up and down the hierarchy in a transparent and timely manner.

Business rules or triggers are developed to report and escalate performance and risk information. Regular risk conversations (e.g., through team meetings, and formal and informal risk management processes) are held. Organisational members are encouraged to escalate or raise concerns, risks, or issues.

Guidance is provided on how to raise risks within the business area and to the enterprise risk team.

Risk management training and instruction tailored to specific roles are regularly provided.

Encourage whistleblowing

As most frauds are uncovered through tip-offs, organisations should encourage whistleblowing in a psychologically safe manner.

Organisational members can easily pick up a phone with the risk team to escalate negative risk-taking behaviours especially when they do not feel safe doing so with their immediate managers. Alternate avenues for escalating or reporting potential harmful actions must be considered and promoted.

Risk-taking behaviours rewarded or challenged

When opportunities are identified and positive risk-taking behaviours are demonstrated to produce a better outcome for the organisation and its clients, these positive behaviours should be acknowledged and rewarded.

But when negative risk-raking behaviours are demonstrated or identified, they should be respectfully challenged or called out in an environment of mutual trust and respect and a psychologically safe manner. Risky decisions or actions potentially causing losses to the organisation must be challenged. Learn from these situations.

Risk management skills are valued, encouraged, and developed

While risk management can be complex, several common soft skills are relevant for managing risks:

  • Analytical skills – Organisational members need analytical skills to collect data and make important decisions using available data. They also need to spot holes and weaknesses that others may have missed in the system, infrastructure, and other areas.
  • Problem-solving skills – Organisational members must solve problems. While some risks may require passing the news on to someone above their pay grade, most will fall to them to solve.
  • People management and leadership skills – All the problem-solving skills in the world are useless if managers can’t rouse the troops. Organisations need good people and leadership skills to inspire and lead staff. Risk management may require upsetting the apple cart and managers need the respect of their team through challenges.
  • Relationship-building skills – Organisational members need to be able to build relationships — and not just with their immediate subordinates – but with other departments and superiors.
  • Business understanding – To identify and estimate risks to the organisation, organisational members need to understand how the entire business works. They can’t say finance doesn’t matter because they are in IT, or vice versa. Business understanding is a must for organisational members.
  • Ability to quantify risks – After assembling a list of potential risks, organisational members need to be able to rank on a scale of their choosing, the likelihood and severity of each risk. They should have a complete list that notes the most to least likely risk and the most severe to least severe risk.
  • Ability to choose mitigation strategy – Organisational members need to confidently choose the appropriate mitigation strategy – acceptance, avoidance, limitation or sharing.
  • Strategic thinking – If an organisational member looks at how things affect the business as a whole, they might come up with a better way to operate.
  • Adaptability – Risk management requires constant education and keeping up with the news.

Tailored risk management training is required to enhance the risk management skills of organisational members and decision-makers.

Regular challenging of the status quo from diverse perspectives

Groupthink can be problematic for organisations. It can blindside the organisation to emerging risks and issues.

When there is a desire for harmony in decision-making, it is easy for the group to override realistic appraisals of alternatives.

As complementary producer-administrator-entrepreneur-integrator (PAEI) teams and individuals are required for the organisation to be effective and efficient in the short and long run, organisational members must be given the license to challenge the status quo from different perspectives within a psychologically safe environment. When there is openness and transparency, the organisation can thrive.

Hold management to account for the closure of risks

Apply sufficient rigour in holding management to account for the mitigation and closure of risks and issues. This rigour will include internal audit recommendations.

By fully implementing the agreed risk treatments or mitigations and monitoring the effectiveness of the controls in place, organisations can ‘close’ the risk on the risk register and focus their attention and resources on the next highest risks.

Formalise informal risk management

When both formal and informal risk management coexists in organisations, the trigger criteria or business rules should be established to guide decision makers as to when an informal risk assessment should proceed to a formal risk assessment.

Create a process for capturing the results of an informal risk assessment through emails, minutes, or other meeting notes.