7 Steps to Create a Risk-Aware Culture

How to build an organization in which everyone incorporates risk considerations into every decision—and why that’s crucial to long-term success.

The Internal Revenue Service launched a new channel for employees to confidentially raise concerns and risks to agency leadership. The agency has one of the most mature enterprise risk management (ERM) programs in government—and this is its latest move to promote a risk-aware culture. By empowering its workforce to spot and elevate issues as they arise, the IRS has prepared itself to recognize and address threats before they turn into problems for the agency.

This approach is representative of a broader trend: Many public- and private-sector organizations are making risk awareness part of their internal culture by putting risk management front and center for all employees, not just those with “risk” in their title. Amid the coronavirus pandemic, organizations learned just how important it is to be agile and quickly adapt to changing conditions. Pushing risk responsibilities out to the edges of an organization helps decision-makers quickly identify changing conditions and take corrective actions to mitigate emerging threats before they can escalate into something more harmful.

Aside from Covid-19, risks are growing in number and complexity, and identifying and managing myriad exposures takes an all-hands-on-deck mentality. In a risk-aware corporate culture, risk management is part of every critical decision by every stakeholder. Technology can raise stakeholders’ risk awareness by providing visibility into exposures across the organization and consistent, reliable data about the potential impact of those risks.

How to Start Building a Risk-Aware Culture

Culture is what weaves the business of managing risk into the everyday routines of all employees. With more eyes and ears on the lookout for emerging risks, a company is much less likely to be blindsided by an undetected vulnerability—and that’s a significant competitive advantage for any organization.

Here are seven steps to start making risk a part of every discussion and every decision at your organization:

1. Educate all employees about risk.  If you want employees to participate in managing and mitigating threats, start by equipping them with a basic knowledge and language of risk. Explain the benefits of risk management and make clear how to spot potential issues, assess the possible impact, and determine what can be done to mitigate threats. Cultivating awareness and understanding of risk will make it much easier for stakeholders to see that reducing risk is in everyone’s best interests, not just the company’s.

2. Clearly communicate what’s expected.  Have a clear, well-defined process for reporting risks. The easier it is to report a concern, the more likely employees are to report it. Guidelines need to be specific and direct and go beyond the equivalent of “if you see something, say something.” Technology plays an important role in ensuring reporting is easy, consistent, and timely. Offer employees on-the-go access to forms with prepopulated fields to make it easy for them to navigate the process and collect all necessary information while it’s still fresh. If the process of reporting risks is long or complex, adoption will be low.

3. Get top-level buy-in.  Leading by example is powerful. If the senior leaders of an organization are visibly making risk-conscious decisions, others will naturally follow and operate in a risk-minded way. For example, in the chaos and compressed timelines of a crisis, it might be tempting to cut a few ethical corners for the sake of speed. Senior leaders who visibly refuse to compromise integrity set a great example for others to follow.

4. Break down silos.  Open lines of communication by establishing a risk committee that includes stakeholders from multiple departments. Technology can help by centralizing risk information, standardizing data, and showing the relationships between threats. It can establish a common risk language and facilitate productive conversations to make sure all vulnerabilities are identified and addressed. If there is a problem with a vendor, for example, third-party risk, compliance, claims, supply chain, etc. all can quickly come together for a coordinated response to limit fallout.

5. Assign responsibility for managing specific risks.  The risk committee should also identify the individual who is most closely connected to each risk—and hold that person accountable for its management. When everyone knows who is responsible for what, there’s much less of a chance that something important will fall through the cracks because everyone thinks handling it must be someone else’s job.

6. Establish incentives.  Baking incentives and risk management expectations into performance plans gets people thinking regularly about risk and what they can do to help correct issues within their control. Consider offering spot bonuses to employees who identify risks and come up with a solution. Or tie annual bonuses to achieving certain risk-related goals. Nothing gets attention like telling managers they must make, say, a 10 percent improvement in a certain risk-related budget item or their bonus will be impacted.

7. Leverage technology to measure improvement and increase transparency.  Technology can gather all risk-related data—from claims, internal audit, safety, and third parties—into one location. This increases transparency and elevates the visibility of risk, which promotes a risk-aware culture across the organization.

Risk scorecards, for example, can show how each business unit, department, or location is performing against key risk and safety goals. Point values can be given to each key performance indicator (KPI) and totaled for an overall risk score, which business-unit leaders can then use to review progress and suggest follow-up actions to improve performance.

The data can be summarized in reports and distributed companywide so that everyone can see what’s been achieved, what’s in progress, and where there’s still room for improvement. Business units can even see how their performance stacks up to others. While this may be frustrating for the team at first—especially for those who are coming up short—these scorecards can eventually become a point of pride because they provide definitive proof of what the team has been able to accomplish.

A Practical Look at a Risk-Aware Culture

Consider this example of the power of a risk-aware culture: A national food-distribution organization with many different operating companies noticed an upward trend in the frequency and severity of its workers’ compensation and liability claims. Its numbers for key safety metrics—accidents per million miles (AMM) and recordable case rates (RCR)—were higher than its competitors’. In addition to immediate concerns over employee well-being, the high volume of claims was straining the company’s financials.

Management wanted to instill a safety-oriented culture to reduce the risk of injuries and lower the total number of claims. The goal was to reduce AMM and RCR by 20 percent. To reach that goal, each independent operating company needed to buy into that policy. A mind-set change was in order to emphasize that:

To facilitate this shift, the company used risk scorecards to create a ranking that shows how each operating unit is performing across 17 risk and safety categories, including AMM, RCR, required training compliance, root-cause completion percentage, and more. This method encouraged a cultural change in two ways: Overall scores were shared across the organization, which naturally motivated each unit to improve. There was also a clear financial incentive, as employee bonuses were tied to achieving these goals.

It took time, but everyone is now on board. Locations eagerly await the quarterly ranking report, and improving safety scores is a point of pride. Employees understand the value of fixing a problem—and how their actions can really make a difference.


See also:


How Risk-Aware Is Your Organization?

A company culture that values risk-aware behaviors protects customers, the brand, and the bottom line. When all stakeholders—from the CEO and board down to the newest interns—are aware of the risk inherent in every decision, potential issues can be raised, discussed, and addressed in advance. Unexpected issues are less likely to occur. And when they do occur, the impact tends to be less severe.

A great risk culture is not something that can be built in a single all-staff email or all-hands meeting. It takes time to educate people about risk, spark dialogue around possible actions, and instill a belief that everyone has the power to make a difference.

How risk-aware is your culture?


Roger Dunkin is the co-founder and senior vice president of innovation at Riskonnect, a leading provider of integrated risk management software. He is responsible for creating and launching innovative, scalable solutions to help organizations address the challenges of managing risk.