Risk-aware culture

ISO 31000:2018 13 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/12/Fostering-a-Risk-Aware-Culture_-LILAC-and-Maturity.wav

The culture of an organization can be hard to define, but it generally reflects the attitudes and behaviors of everyone in management. It shapes how individuals act in different situations and sets expectations for their behavior in all circumstances. A strong risk culture stems from shared values, attitudes, and behaviors that align with the organization’s risk management goals. In organizations with a risk-aware culture, communication is based on mutual trust, and there’s a shared understanding of the importance of managing risks. People also have confidence in the chosen control measures and are committed to following established risk procedures. According to recent research by the UK Health and Safety Executive (HSE), the key elements of a risk-aware culture are Leadership, Involvement, Learning, Accountability, and Communication, forming the acronym LILAC. Developing a culture where effective risk management is part of everyday work is a long-term goal for many organizations. For example, if an organization wants to improve security awareness, it could launch a campaign highlighting risks and how to manage them. To be effective, this campaign should use various communication methods and incorporate the LILAC principles. Activities might include risk awareness training, posters, site inspections, reporting systems for defects, and distributing informational materials like leaflets and brochures.

4oA risk-aware culture refers to an organizational environment where employees at all levels understand the importance of risk management and actively integrate it into their daily decision-making processes. It emphasizes awareness, responsibility, and proactive engagement with potential risks to achieve organizational goals effectively. Key characteristics of a risk-aware culture include:

  1. Shared Understanding: Employees and management recognize the organization’s risk appetite and understand how their roles contribute to managing risks.
  2. Open Communication: Risks are openly discussed, with employees encouraged to report potential risks without fear of blame or retaliation.
  3. Proactive Risk Management: Risks are identified, assessed, and addressed before they escalate, rather than reacting only after issues arise.
  4. Leadership Commitment: Senior leaders model and promote the importance of risk management, ensuring it is embedded in strategic planning and operational processes.
  5. Continuous Learning: The organization regularly reviews past incidents, learns from them, and improves its risk management practices.

In a risk-aware culture, the focus is on balancing risk and opportunity. Employees understand that taking risks is necessary for growth, but those risks must align with the organization’s overall objectives and risk tolerance.

A risk-aware culture is achieved by LILAC:

  1. Leadership: Strong leadership within the organization in relation to strategy, projects and operations
  2. Involvement: Involvement of all stakeholders in all stages of the risk management process
  3. Learning: Emphasis on training in risk management procedures and learning from events
  4. Accountability: Absence of an automatic blame culture, but appropriate accountability for actions
  5. Communication: Communication and openness on all risk management issues and the lessons learnt

A risk management program can only succeed if the organization’s culture supports it. For this to happen, the organization needs a risk-aware culture. Senior management plays a key role in fostering this culture by setting clear risk management goals and demonstrating their commitment through both verbal and written communication. Senior management must also be actively involved. This includes participating in training to fully understand their responsibility for managing risks. Risk specialists should act as advisors, and there should be systems in place to provide employees with updates on decisions that impact them. A learning culture is essential for a risk-aware environment. It helps organizations identify and correct poor risk behaviors. Analyzing incidents in detail and providing clear feedback are crucial steps. Workshops on risk-related topics are also an important part of building this culture. Accountability is critical, but it should not lead to a blame culture. The organization should shift to a “just culture,” where accountability is balanced with fairness. When incidents happen, management should show empathy and encourage employees to report issues without fear of personal blame or punishment. Lastly, strong communication is key. Senior management must ensure that risk information flows freely. This includes welcoming reports from employees and external sources and sharing updates on risk performance regularly.

  • Barrier- Lack of understanding of risk management and belief that it will suppress entrepreneurship.
  • Action- Establish a shared understanding, common expectations and a consistent language of risk in the organization.
  • Barrier- Lack of support and commitment from senior management.
  • Action- Identify a sponsor on the main board of the organization and confirm shared and common priorities.
  • Barrier- Seen as just another initiative, so relevance and importance not accepted.
  • Action- Agree a strategy that sets out the anticipated outcomes and confirms the benchmarks for anticipated benefits.
  • Barrier-Benefits not perceived as being significant.
  • Action-Complete a realistic analysis of what can be achieved and the impact on the mission of the organization.
  • Barrier- Not seen as a core part of business activity and too time-consuming.
  • Action- Align effort with core processes and achievement of the mission of the organization.
  • Barrier- Approach too complicated and over-analytical (risk overkill).
  • Action- Establish appropriate level of sophistication for risk management framework and undertaking risk assessments.
  • Barrier- Responsibilities unclear and need for external consultants unclear.
  • Action- Establish agreed risk architecture with clear roles and accepted risk responsibilities.
  • Barrier- Risks separated from where they arose and should be managed.
  • Action- Include risk management in job descriptions to ensure that risks are managed within the context that gave rise to them.
  • Barrier- Risk management seen as a static activity not appropriate for a dynamic organization.
  • Action- Align risk management effort with the mission of the organization and with the business decision-making activities.
  • Barrier- Risk management too expansive and seeking to take over all aspects of the company.
  • Action- Be realistic: do not claim that all the business activities within the organization are risk management by another name.

Steps to successful risk management

There are three (complementary) styles of risk management, related to the nature of the risk under consideration. Hazard management, control management and opportunity management define and describe the approach and, to some extent, the level of sophistication that is applied to risk management by an organization at a point in time. Hazard risks will always have a negative outcome associated with the risk. The maximum exposure to the risk that is acceptable to the organization is the hazard tolerance. Control risks will have a cost associated with controlling the risks, and this cost can be described as the control acceptance. Opportunity risks have a range of possible outcomes from highly positive to highly negative. The intended and planned outcome is, of course, positive. The organization will be willing to put resources at risk in pursuit of opportunity risks, and this is the opportunity investment. The type of risk under consideration helps determine the style of risk management that will be applied. However, some risks may need to be managed using all three styles of risk management, at different stages in the lifecycle of the risk. In summary, the four styles of risk management can be viewed as follows:

  • Compliance management: based on fulfilling legal obligations, such as health and safety
  • Hazard management: ‘total cost of risk’ approach developed by the insurance world
  • Control management: based on the internal control approach of internal auditors
  • Opportunity management: interface between risk management and strategic planning

The hazard tolerance, control acceptance and opportunity investment are the values that the organization is willing to put at risk. These three components added together are the risk appetite of the organization and represent the total acceptable risk exposure of the organization. The total risk exposure is the sum of the risk exposures for the individual risks and this actual risk exposure may differ from the risk appetite of the board and/or the risk capacity of the organization. The insurance risk manager will normally manage motor vehicle risks as a loss minimization or ‘total cost of risk’ issue. The avoidance of internal fraud will normally be managed as an internal control issue and will be monitored and reviewed by the internal audit department. Risks associated with a merger or acquisition should be managed as an opportunity issue by the CEO or a nominated senior executive.To improve an organization’s risk management, a dedicated initiative is needed. The approach will depend on the size, complexity, and nature of the organization, as there is no one-size-fits-all solution. Different organizations will have different reasons for implementing risk management and will expect different results. The key first step is securing support from a board member or senior executive to lead the initiative. Guidance for successful implementation can be found in various risk management standards and frameworks. As risk management evolves, the steps organizations take will also change. With the rise of governance, risk, and compliance (GRC), risk management now operates in a broader context. Risk professionals must ensure their efforts align with the organization’s overall activities and internal environment. While having a clear implementation plan is important, it’s equally vital to identify potential barriers. Common obstacles include:

  • Influence of senior management within departments
  • External factors like corporate governance
  • The organization’s business nature, products, and culture
  • Attitudes shaped by past risk management experiences
  • The origins of the risk management function within the company

Understanding these barriers allows for strategies to overcome them. Successful risk management relies on the commitment of everyone involved, as weak links can undermine progress. Analyzing these challenges helps pinpoint the best methods to ensure risk management delivers maximum benefits. There is no fixed timeline or single action to guarantee full implementation. Many organizations find that achieving complete implementation can take 2 to 5 years. The timeframe may be longer if a comprehensive risk management information system (RMIS) is part of the plan.

Achieving successful enterprise risk management

  1. Engage senior management and board of directors to provide organizational support and resources.
  2. Establish an independent ERM function reporting directly to a board member.
  3. Establish the risk architecture at executive and board levels, supported by internal audit.
  4. Develop the ERM framework that incorporates an appropriate risk classification system.
  5. Develop a risk aware culture fostered by a common language, training and education.
  6. Provide written procedures with a clear statement of the risk appetite of the organization.
  7. Agree monitoring and reporting against established objectives for risk management.
  8. Undertake risk assessments to identify accumulations and interdependencies of risk.
  9. Integrate ERM into strategic planning, business processes and operational success.
  10. Contribute to the success of the organization by delivering measurable benefits

Measuring an organization’s risk culture can be challenging, but it’s essential. Audit committees often ask how seriously different departments or locations approach risk management. While it’s easy to provide a general, qualitative answer, quantitative measurements are necessary to pinpoint weak areas and plan improvements. The Canadian Criteria of Control (CoCo) framework is one way to measure risk culture. Another method is for the audit committee to assess the level of risk assurance provided by specific units or divisions. Risk culture can also be evaluated by examining the organization’s risk maturity, which provides measurable insights into its risk awareness and management practices. The quality of a risk management policy and the details in risk guidelines or protocols can also reflect the organization’s risk culture. For many organizations, improving risk culture is a strategic objective, particularly when weaknesses in risk awareness are identified. Improving risk management processes alone doesn’t guarantee a better risk culture. For example, enhancing internal audits might boost compliance but won’t necessarily strengthen the organization’s risk culture. True improvements in risk culture should lead to better risk assurance and greater overall benefits. Frameworks like ISO 31000 emphasize the importance of understanding an organization’s context—external, internal, and risk management—because context is closely tied to risk culture. Similarly, both the CoCo and COSO ERM frameworks focus on the control or internal environment, which are key indicators of risk culture and awareness. A better risk culture can lead to improved risk performance by enhancing the organization’s internal environment, control environment, and risk management practices. Using tools like the balanced scorecard helps align risk management with the organization’s broader strategies, making it easier to embed risk management into daily operations and foster a risk-aware culture.

Risk awareness campaign: Risk management has been integrated into the organization through three main steps: a risk awareness campaign, new risk identification processes at the directorate level, and ongoing improvements to existing risk processes at the strategic level. The awareness campaign aimed to help staff understand their responsibilities regarding risk. At the directorate level, introducing risk registers was done collaboratively and inclusively. Strategically, the corporate risk register is being further developed to improve risk control and provide clear evidence to the board that risks are being effectively managed.

Risk Maturity

Risk maturity in Enterprise Risk Management (ERM) reflects how effectively an organization incorporates risk management into its operations, decision-making, and culture. It demonstrates the organization’s ability to recognize, assess, manage, and monitor risks systematically. The concept also gauges how well risk management aligns with organizational goals and how deeply embedded it is within the corporate structure. An organization’s risk maturity is often evident in its leadership and governance. When senior management and the board actively support risk management, it reinforces its importance across the organization. This commitment fosters a culture where employees at all levels understand their role in managing risk and are encouraged to take ownership. A mature risk culture emphasizes communication, where information about risks flows freely and transparently, enabling informed decisions and fostering accountability. Processes and frameworks also play a crucial role in risk maturity. Organizations with higher risk maturity have standardized procedures that are consistently applied across all departments. Risk management becomes an integral part of strategic planning, operational workflows, and project management, ensuring that risks are considered at every decision-making level. Over time, these practices evolve through continuous improvement, driven by regular reviews and feedback. Achieving a high level of risk maturity benefits organizations in multiple ways. It enhances their ability to anticipate and respond to risks proactively, leading to better resilience in the face of uncertainty. Stakeholders, including investors, regulators, and customers, gain greater confidence in the organization’s stability and foresight. Ultimately, a mature approach to risk management positions the organization for long-term success by aligning risk management with its broader strategic objectives.

Risk management activities, along with the organization’s risk structure, strategy, and protocols, should align with its core business processes. When risk information flows effectively through the risk management framework, it can generate several key benefits. These include meeting mandatory obligations, providing assurance, improving decision-making, and enhancing the efficiency of core processes—summarized as MADE². Many risk management standards emphasize not only managing threats but also leveraging opportunities. Managing risks in specific areas, like projects, has evolved into a specialized field with its own guidelines. To maximize the value of risk management, organizations need to decide whether their efforts will focus on strategy, projects, operations, or a combination of these. This decision helps integrate risk management into the organization’s broader activities, ensuring it becomes a natural part of daily operations rather than a separate task. Embedding risk management into regular business processes improves efficiency and fosters acceptance. Similarly, internal audit functions should align with the organization’s context and culture. Risk-based audit programs typically focus on high-risk areas and consider the organization’s risk maturity. In less mature areas, internal audits may increase their scope to provide additional oversight. A useful way to measure how well risk management is embedded is through the FOIL model: Fragmented, Organized, Influential, and Leading. In the fragmented stage, different departments manage risks separately without coordination. As processes become more organized, risks are managed collectively, often through a comprehensive risk register. When ERM becomes influential, it starts shaping decision-making by ensuring risks are fully considered in strategic and tactical planning. In the leading stage, risk management drives strategy development, with risk managers playing a central role in senior leadership, ensuring risks are proactively managed from the outset.

Four levels of risk maturity

Level 1

Status (4Ns): Naïve

Level 1 organizations are unaware of the need for enterprise risk management and/or do not understand the benefits that will arise

Characteristics (FOIL): Fragmented

Risk management activities are fragmented and focused on legal compliance activities, such as health and safety

Level 2

Status (4Ns): Novice

Level 2 organizations are aware of the benefits of enterprise risk management, but have only just started to implement an ERM initiative

Characteristics (FOIL): Organized

Actions are planned to co-ordinate risk management activities across all types of risk, although plans may not have been fully implemented

Level 3

Status (4Ns): Normalized

Level 3 organizations have embedded ERM into business processes, but management effort is still required to maintain adequate ERM activities

Characteristics (FOIL): Influential

Embedded ERM processes are influencing processes and management behaviours, but this may not yet happen consistently or reliably

Level 4

Status (4Ns): Natural

Level 4 organizations have a risk- aware culture with a proactive approach to ERM and risk is reliably considered at all stages to gain competitive advantage

Characteristics (FOIL): Leading

Consideration of risk is a substantial factor in making business decisions and decisions about strategy are led by ERM considerations

Risk maturity demonstrated on a matrix

Risk maturity can be measured by looking at how well risk management is integrated into an organization. The more mature an organization’s risk management practices, the more they become a natural part of daily operations. A risk maturity model helps assess how advanced these practices are and the benefits that can be achieved. Risk maturity is not just about the sophistication of risk management but also about how processes and capabilities are developed and applied. In organizations with low maturity, risk management is informal, and there may be a blame culture or lack of accountability when things go wrong. Resources allocated to manage risks may not be appropriate for the level of risk faced. As an organization matures in risk management, it begins to adopt more structured processes. There is open communication and learning, and risks are better managed with support when needed. However, if an organization becomes overly focused on risk management processes, it may hinder its ability to make effective decisions, leading to a reliance on rules rather than judgment, and people may become overly cautious. The four levels of risk maturity, known as the “4Ns” (naïve, novice, normalized, and natural), describe an organization’s progression. A naïve organization is unaware of the need for effective risk management, while a novice organization recognizes this need but has not yet made significant improvements. As the organization matures, it moves to a normalized stage where desired behaviors are achieved, and finally, at the natural stage, risk management becomes automatic and embedded in the organization, with minimal effort needed to maintain it. The level of risk maturity an organization reaches depends on its risk exposure and the effectiveness of its risk management processes. While achieving higher risk maturity can bring benefits, it doesn’t always guarantee greater sophistication or better results. However, organizations often set the goal of improving their risk maturity as part of their overall strategy, and using a risk maturity model helps guide this process. Models like the CoCo framework or the EFQM model focus on improving the risk culture and strategy to ensure good risk management.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply