The Human Side of Risk Management
The 2019 Deloitte risk management survey showed that more than 93% of C-level executives think risk management will become more important in the future to achieving strategic goals. However, risk management is more than just processes, data, and frameworks. It’s also about culture. This means that people are critical to good risk management execution.
But there’s more to managing the people side of risk than protecting against professional liability, according to NimbleFins—companies need to take tangible steps to build an effective risk management culture. Here we’ll recap the traits of companies with a strong risk culture, based on research by McKinsey & Company.
Taking stock of the risks faced by a business takes boldness. It means acknowledging potential issues that could lead to failure, disaster, loss, or humiliation. And not just internally—risk must also be discussed with shareholders or even regulatory bodies where appropriate.
While these conversations can be difficult, businesses that face up to potential risks can actually be in a better position to take on more risk.
A business willing to acknowledge potential risks can proactively identify and stay ahead of issues, enabling growth and gaining the confidence of investors, regulators, or other third parties. This type of business can size risks and have plans for handling a potential disaster, providing the right environment for taking on additional risk as business opportunities arise.
On the other hand, a business scared to identify potential risks will be in a defensive position, afraid of what they don’t know, worried about the reactions of shareholders, regulators, clients, and more if something does go wrong. These companies cannot move forward with confidence, taking on more risk as they grow. Instead, companies that don’t acknowledge risk tend to be stagnant and more risk-averse.
Having an openness and willingness to discuss problems creates an environment where managers feel confident in raising the flag and alerting others instead of trying to hide a problem. At that point, the issue can be analysed and mitigated. On the other hand, issues that are ignored or hidden tend to worsen, increasing risk.
Transparency is enhanced by good risk planning because managers will feel their company can cope with the risk of problems that arise. In companies with good risk management plans in place, a manager will feel more comfortable disclosing any developing issue they identify early on. This is because they’ll feel confident that their company can handle a disaster.
A culture that encourages discussions also helps with transparency. Managers who feel they can’t raise issues when they arise without repercussion are more likely to ignore issues as they develop or avoid telling superiors.
Planning and an open culture lead to an environment where risks are more likely to be mitigated and less likely to lead to disaster.
Respect for Risk Controls
Having a comprehensive set of risk controls in place is just part of the equation. The guidelines and controls must be followed in order to work. This means that the risk management controls must not be too onerous and respect for the systems must be maintained to ensure compliance.
The risk controls must be sensible. When risk controls are impractical, employees and managers alike are more likely to search for ways around them. This defeats the point of having a structure in place at all.
And when risk guidelines are circumvented, secondary harm is done. People can lose respect for the risk management system altogether. Once that happens, the culture shifts to one of trying to work around the system instead of working within it.
Ideally, risk controls are established with the input of parties who will comply with them on a day-by-day basis. This step helps ensure that risk controls are practical and manageable, increasing the odds that employees and managers will follow them. This is critical because attitudes about the risk strategy will impact day-to-day decisions throughout a company.
Companies large and small must ensure that consensus has been built in support of the risk culture among all leaders. This can be accomplished by ensuring all leaders agree on the type of culture they want for the company. Defining the culture is key, and can involve agreeing on a set of core statements about the risk culture. For instance, “We will always understand the infrastructure implications of the risk decisions we make.”
Companies change over time. Leaders and other employees come and go, markets evolve and businesses adapt. In parallel with these changes, the entire risk management strategy, from culture to controls and processes, must be re-evaluated regularly. An annual review can be a sensible way to ensure a company’s risk culture and controls are still suitable and capable of mitigating risk. But annual reviews must go beyond checking oversight processes and structures—underlying attitudes about the risk strategy must also be clocked. Because if the risk culture has shifted, these risk controls won’t do a lick of good.