People talk about having an organizational risk culture that recognizes risk, and where risk management is embedded throughout the layers of the company. But what does that actually mean?
Below we look at four things that you’ll see in organizations with a risk culture so that you can decide if your business is on the right track to develop maturity in this area.
The Right People Are Risk-Aware
A risk management culture starts with the right people knowing the right things about the relevant risks. Typically, an immature risk culture would see individuals knowing about the immediate risks to their personal safety or potential showstoppers on the horizon that could affect their department. In order to fully embed the culture of risk management in the business you need to move beyond that.
Enterprise risk management software helps you do so, by ensuring that there is a central log of all the major business risks. Simply having a log makes executives more aware because they’ll have to gather relevant information from their divisions to feed into the software. The consolidated list can be discussed at management meetings and updated regularly.
Project risk might not make it to the boardroom discussions but the same tool can be used at all levels of the business to ensure risks have the visibility they require.
There’s A Tolerance For Risk (But Not Too Much)
A risk management culture is not all about preventing risk. Businesses don’t evolve and grow by shutting down every risky activity. On the contrary, taking calculated risk is what helps businesses leap ahead of the competition. But the risks need to be measured, and that relies on understanding the organization’s risk appetite and tolerance for taking risk.
That means having conversations about what level of risk is right for the organization at this time – and that will change over time. The company’s position on risk is something that the PMO can use to inform decisions about which projects get started or stopped. It can set the tone for a whole range of business decisions and actions around the prioritization of work.
Part of a healthy risk management culture is that team members aren’t afraid to talk about potential issues. They should be able to discuss risk with their management team without having to worry about the implications to their careers of being seen as someone who flags up problems.
Risk Ownership Is Embedded
Flagging up risks in an environment that won’t criticize you for doing so is one thing. Having someone take ownership to do something about it is another.
A mature risk culture allocates owners to risk. In fact, it’s even better if the risk owners step up and take responsibility themselves without being asked. They should know that the risk falls into their sphere of responsibility and they should have the power to manage it appropriately until resolution.
Risk ownership is important at all level of risk within the company. At a project level, members of the project team will be responsible for owning risk management activities. As you move up through the levels of decision making, larger, enterprise-wide risks should be owned by people of commensurate responsibility, even if some of the risk management actions are then delegated to others.
Essentially, at every level in the business you are trying to move away from the ‘not my problem’ mentality to a culture where risks can be identified by anyone, managed by the appropriate person and those owners are held accountable for their actions.
Decision Are Informed By Risk
All this risk management activity is largely pointless if the outcome is not being used by the business decision makers to make better choices for the organization overall. The data captured in your enterprise risk management system is hugely useful for defining what decision is the right one for this circumstance at this time. It’s a shame to see all of that data go to waste.
Having a risk management culture means that risk management isn’t a separate activity. It’s not something that a committee meets about once a quarter. It’s a fundamental part of the decision making of the business.
For example, annual planning cycles take the overall level of risk exposure into account. Knowing the current risk profile shapes what the business will choose to do over the coming years.
Equally, at a portfolio level, the risk profile of multiple projects will inform what new projects are taken on. If the current portfolio is about as risky as the business wants to get right now, only projects with a low risk profile will be approved. If there is still scope to take on innovation projects with a slightly higher risk profile, then you could add those to the project portfolio without impacting on the organization’s viability at this time.
No organization starts with risk maturity embedded into the fabric of the business. But it develops over time. The first step in improving your risk management maturity is to understand that there is a journey to go on. You can then start thinking about where you are currently in terms of maturity. And then you can plan out how you are going to improve your risk management culture in a structured way, gaining buy in for the changes required as you go.
When you know what a mature risk management culture looks like, you’ll recognize it when you see it! Or you’ll acknowledge its absence when you can’t see evidence that risk is taken seriously in an organization. How do you think your company measures up?