THE Institute of Risk Management defines risk culture as “a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation”.
Organisations are exposed to a numerous number of risks and build a control environment that senior managers believe will manage the effects of risks at a cost that is acceptable. The aim is to create a risk profile that sits within the organisation’s risk appetite and tolerances.
To achieve this, the senior managers need to create and maintain a mindset among employees that effective risk management, and in particular the application of the controls, is an important and necessary part of everyone’s job.
It is important to emphasise that a positive approach to risk management reflects positive business practice. Risk culture may be reinforced in a virtuous cycle of positive actions and behaviours over time that match the organisation’s desired risk culture.
Positive risk culture helps the organisations from losing their assets as a result of employees practice. Despite management’s effort to enforce positive risk culture, there can of course be a cycle of dysfunctional behaviours and actions that are tolerated and create a vicious circle of damaging, negative risk culture.
Negative risk culture can lead to organisations incurring huge losses despite having proper controls in place. A very good example is a story that flooded our media where a named company lost a good sum of money from the most secured part of an organisation.
From a risk point of view, the incident had more to do with employees risk culture than failure in controls. One could easily tell that one employee chose to trust the friend and overlooked dual controls in place.
We can now see how the culture established among employees can affect controls in place. In other cases, companies have lost huge sums of money from what is perceived to be simple among employees which is passwords sharing among employees. All this is built on negative risk culture whereby employees tend to trust and overlook controls.
Having known how negative risk culture can adversely impact the organisation, we can safely say that it is insufficient to leave the risk culture to chance – in other words, a random approach to risk that each individual or team may take. Taking a positive stance on risk culture is very important and this requires the following:
• Setting a tone by the management board on the positive risk management is key. This can be by ensuring that positive culture is award and the negative risk culture should be penalised.
• Good communication of the organisation’s expectations of all staff – this could be through policies, presentations, staff newsletters, induction processes, written documents, posters and job descriptions. Also, when staff is involved in the risk identification process this achieves a greater buy in.
• Training programmes that instil the right practices and knowledge. Employees need to constantly be reminded on best practices and risk controls in place. I understand that it may sometimes cost an organisation money to train employees but it is a worthy while undertaking.
• Investment in the use of effective IT security tools and active and transparent monitoring of IT usage that is made clear to all employees.
In conclusion, I would like to say that positive risk culture can save organisations millions but the opposite is the case with a negative risk culture. “Remember trust is good but control is always better” Unknown.
The author is a risk analyst.