Risk Management School

How to build an effective risk management culture

Written by Risk Management School | 17 de October de 2023

In this class, Alejandro Orrego, CEO at Pirani, teaches us what culture is, the ABC model of Corporate culture, Risk culture, What is not Risk Management Culture, How to design a strong risk culture, IRM Risk culture aspects model, Signs of good RMC, the Three lines of defense, and how to put it in practice with a simple use software as Pirani.

What is culture?

The values, beliefs, knowledge, and understanding, shared by a group of people with a common purpose.”

IRM / Hillson

Corporate culture

Corporate Culture refers to the shared values, beliefs, behaviors, and norms that characterize the internal environment of an organization.

It encompasses the company's mission, expectations, and how employees interact with each other and stakeholders outside the organization. 

Corporate culture can influence how employees perceive their roles and decisions and how the organization responds to challenges and opportunities.

RISK MANAGEMENT culture

Risk culture must be part of the corporate culture. Risk culture is a specific culture within the Corporate Culture. It is how we decide and act in the face of our company's risks.

What is RISK MANAGEMENT culture?

Refers to the values, beliefs, knowledge, attitudes, and understanding of risk shared by a group within an organization. It influences the decisions and behaviors of individuals and teams when addressing risks.

A strong risk management culture promotes an environment where every employee understands the importance of risk management and plays an active role in identifying, communicating, and addressing risks to achieve the organization's objectives. It encourages open communication about risks, lessons learned from past experiences, and continuous improvement in risk management practices.

What is NOT RISK MANAGEMENT culture?

  • Training
  • Guides
  • Procedures
  • Games and activities
  • Encouraging messages of risk

These elements are part of and tactics of risk management culture.

How to design a strong Risk Culture?

Designing a strong risk culture requires a comprehensive approach that integrates risk awareness, understanding, and management into the very fabric of an organization. Here's a step-by-step guide to help you design a robust risk culture:

  • Top-Down Commitment: Leadership must demonstrate a commitment to risk management. This commitment will set the tone for the rest of the organization. Leaders should actively communicate the importance of risk management and embed it into strategic decisions.
  • Clear Risk Appetite: Define and communicate the organization's risk appetite, which is the level of risk the organization is willing to accept in pursuit of its objectives. This provides a guideline for decision-making at all levels.
  • Integrate Risk into Decision-Making: Risk considerations should be part of everyday decision-making, not just a separate activity or checklist. This integration ensures that risk is naturally factored into decisions, projects, and processes.
  • Continuous Education & Training: Regularly train employees on risk management concepts, tools, and techniques. Ensure they understand the risks that could impact their work and how to address them.
  • Regular Risk Assessments: Conduct routine risk assessments to identify, evaluate, and prioritize risks. This proactive approach helps ensure that the organization is always prepared and aware of potential challenges.

IRM Risk Culture Aspects Model

There are four main aspects, each with two elements:

  • Tone at the top
    • Risk leadership, clarity of direction
    • How an organization responds to bad news
  • Governance
    • Clear accountability for managing risk
    • Transparency and timelines of risk information
  • Decision making
    • Well informed risk decisions
    • Appropriate risk-taking rewarded and performance management linked to risk-taking.
  • Competency
  • Status, resourcing, and empowerment of risk function
  • Risk skills - the embedding of risk management skills across the organization.

Signs for GOOD RISK MANAGEMENT culture?

  • Specific tool (software)
  • Access to everyone in the company
  • Events reported
    (by as many people as possible, in an easy way)
  • Three lines of defense clearly defined
    The risk area should not be the police officer. It should be a partner
  • TALK ABOUT IT
    Risk committee, what risks did you take, mitigate, what controls work best, etc…

RISK culture

A powerful risk culture does NOT mean eliminating or reducing risks, nor does it mean increasing controls.

It is necessary to take risks if we want to achieve profitability. Risk culture accepts mistakes as long as they are used as learning tools.

The key is to MANAGE RISKS, to find the balance between taking risks and controlling them.