What does risk culture mean?
Por Juan Pablo Calle, en December 11, 2019
A strong risk culture is the key to aligning all fronts of a company according to its strategic objectives.
In the business world, changes occur at a dizzying rate. These dynamic and unpredictable movements produce sudden and unexpected consequences. Indeed, a risk can appear in one of those moments and cause different levels of impact, combining itself with others and generating greater threats.
When a bank's customer data is filtered, for example, there is not only a privacy risk, but also a reputational risk. Depending on the course of events, new legal or financial risks could even be triggered in a short time.
Thus, it is important to have a risk culture that allows us to report, escalate and take action on possible damages or take advantage of opportunities. Of course, a risk is not just about danger. It can also provide an opportunity to optimize vulnerable areas and improve company fronts or initiatives.
In this case, you have to take into account not only the operative part of the company, but also those behind the processes, i.e. people.
In fact, the behavior exhibited by the members of an organization when facing risk, their discipline, functions, change management, training and all aspects related to the human resources of a company, are essential to establish and maintain adequate risk management.
But what is risk culture?
The definition of risk culture includes the values, beliefs, attitudes and knowledge regarding risk held within a company, both public and private, for profit or not.
The sinking of the Titanic serves as an example to define what a good risk culture should be and how the lack thereof could lead to the fall of an entire organization.
Although at first glance an iceberg seemed to have been responsible for the sinking of the Titanic, a series of previous events reveal how the lack of a risk culture within the ship caused the disaster.
First, there was the belief that the Titanic was indestructible. This reduced the thoroughness of security and inspection measures. Therefore, the boat set sail with structural problems and at a speed that was unsafe for navigating the high seas. On top of that, the ship's captain had ignored the iceberg alerts on the way.
If a proper risk culture had been in place, the crew members would have had a clear position on which risks were considered acceptable or unacceptable, i.e. a level of risk appetite would have been defined. Based on that, they would have taken the necessary steps to avoid the collision with the iceberg.
This, in turn, would have required a channel for reporting incidents that would reveal any gap between the level of risk appetite and the decisions made by the ship's crew.
However, since there was no risk culture in place at all levels of the organization and the information was not flowing from top to the bottom, the captain's decision-making methods were not questioned and relevant alerts were not issued in time.
In this regard, if the Titanic had had rules, collective attitudes towards risk and an organizational awareness that would allow it to be handled properly, the impact of events would have been reduced.
How to create a risk culture in my organization
To be effective, it must begin with an appropriate internal control environment. In this regard, it is necessary to establish a management philosophy, determine the level of risk appetite, specify the ethical values that guide your operations, have a clear organizational structure and good practices for contracting and training human resources.
After that, the meaning of the risk culture within the organization must be defined, taking into account the corporate purpose, mission and values. This will allow the explicit definition of the scope of the risk culture. This will make it easier to disseminate and communicate the risk culture at all levels of the company.
In short, all these plans should be aimed at creating a good environment of governance, competition and decision making.