The goal of this session was to show participants how they might:
- Define the characteristics of a risk-intelligent culture.
- Measure their organization’s alignment of risk culture, risk strategy and risk management.
- Incorporate tools that strengthen their risk culture.
The speakers in this RIMS 2016 session were:
- Heath Jones, Director, Enterprise Risk Management, Tennessee Valley Authority
- Dmitriy Borovik, Energy and Resources Enterprise Risk Management Services Leader, Deloitte & Touche LLP
The speakers first defined and provided an overview of a risk culture. A risk culture is based on values, beliefs, knowledge, attitudes and understanding about risk shared by a group with a common purpose, in particular, the employees of an organization. It also encompasses the general awareness, attitude and behavior of employees to risk and the management of risk within the organization.
It is the organization’s responsibility to ensure a risk-intelligent culture and risk culture:
- Needs to align with and support company strategy
- Is shaped and influenced by the leaders’ actions and decisions
- Is sustained by employees behaviors
- Is reinforced by business and organizational systems and processes
The key elements of risk culture involve risk competence, motivation, relationships within the organization and how the organizational environment is structured and what is valued. It’s important to ensure employees have the right tools and skills to achieve these elements.
To strengthen a risk culture, an organization should establish a baseline from its current state and engineer a roadmap to its desired state. Here, you can utilize metrics that your organization already tracks, use data from events that have already occurred and capture and track employees’ attitudes, beliefs and behaviors through methods like surveys. This information can help you get to your desired state.
To further achieve the desired state of a risk-intelligent culture, organizations must:
- Focus on the big picture
- Change the behavior and mindset at multiple levels
- Build employee voices into the effort
- Demonstrate rather than tell
- Get personal
- Go local
- Recognize, reward and address
- Strengthen and sustain
It is critical to get the risk tone set at the top. It is up to executive leadership to establish a clear set of risk-related principals and they must ask themselves:
- Are the principals valued and consistently applied to support strategic objectives?
- Does the organization demonstrate constructively debate on issues and communicate risks?
- Do employees take personal responsibility for risk identification and management?
- How are employees incentivized to make better risk-informed decisions?