A company’s ethos is set from the top, so shouldn’t it make sense that senior figures need to set the tone for the risk management culture as well?
“You can’t control people through policies, procedures and policing. You can only do it through a strong risk management culture and absolute integrity in all leaders.” Leadership on Trial, A Manifesto for Leadership Development
Although this is an opinion rather than a hard fact, it is certainly true. Taking responsibility at the highest level in an organization for embedding risk is essential in effective risk management.
Seasoned risk managers will know the importance of gaining support from senior management and outlining responsibilities early in the process.
As a company’s success and survival can depend on the proper implementation of risk management, it is important that senior figures have overall responsibility for it. Often a dedicated Chief Risk Officer is employed who reports to the CEO.
Previously enterprise risk has been seen as a hindrance rather than a necessity, but now businesses are realising its importance. A Harvard Business Review survey found that in more than 70% of organizations, a senior person or team had direct responsibility for risk management, which shows it is being taken seriously.
If you need employees to change their way of thinking or working, the way to engage them starts with communication from the leaders. Sharing and explaining the company’s risk management framework, processes and people’s individual responsibilities must be consistent, continuous and truthful. A single email to all employees from the CEO with a copy of the framework attached which is never mentioned again will not implement an effective risk culture.
48% of respondents in the same Harvard Business Review survey found that the Chief Risk Officer plays a role in communicating the risk culture, with the Board at 44% and the C-suite at 34%.
People follow the leader, and if the CEO, Board and Chief Risk Officer are all sharing the same message, this will be backed up through the different levels of management and line managers.
With risk culture playing a vital part in the mind-set of employees, there is an argument for risk managers to be part of shaping the whole company culture.
ISO 31000, the internationally recognised risk management standard, focusses on the importance of implementing a coherent risk culture within a business. Without this element of risk management all the planning is pointless. With all the regulatory responsibilities as well as reputational, financial and others placed on a company, clearly explaining to employees what steps they must follow in specific situations is fundamental to business survival. With the gravity of this, it is only fitting that communication, responsibility and practice comes from the top.
How to show commitment
It’s easy to say that “We are committed to risk management”, but how do you put this into practice? Leaders have to be seen to be buying into the idea of risk management and be seen to be following processes themselves.
Here are just some of the ways to show commitment to risk management:
- Set the example – the CEO, Chief Risk Officer and the Board of Directors must be seen to be following the same processes that the rest of the company is expected to follow
- Allocating resources (people and financial) to implement, monitor and improve risk management within the business
- Introduce a risk management system – this could be a simple solution or a tailored option
- Ensure that those responsible for risk management are seen as leaders in the business
- Communicate risk management plans and give those who are affected by the processes (this could be everyone) the opportunity to have input into the plans
- Provide training where necessary.