A good risk culture should reward decision-makers at all levels of the hierarchy and enable them to take the right risks while being as well informed as possible .

The following criteria make it possible to recognize the success of a risk culture:

  • Leadership culture: clear and consistent signals from leaders regarding the risks to accept and the risks to avoid.
  • Responsibility of employees: recognize that risk management is not limited to ticking boxes once and for all but is an ongoing job, with well-defined processes and responsibilities.
  • Open communication and critical dialogue: Transparent and up-to-date risk information is accessible to everyone within the organization. Even bad risks (in the sense of potential financial losses) are communicated quickly and openly, without fear of possible negative consequences. Employees at all levels are encouraged to report incidents, near misses and suspicious activities to learn from them.
  • Appropriate incentive structures : appropriate behavior that is aware of the risks is rewarded and encouraged, and on the other hand, inappropriate behavior is questioned and sanctioned.
  • Everything is done to fully understand the consequences of a risk on the achievement of objectives (and this before deciding on appropriate action).
  • The role of risk manager is well established in the company structure: his work is valued at its fair value, he is provided with the appropriate resources (employees, capacities, financial means) and receives the support of the management of the company.
  • A culture of risk requires a company culture that values ​​diversity of opinions and points of view, that does not rely on the status quo and that continually strives to improve things.

What exactly does risk culture mean?

Like corporate culture, risk culture is difficult to define because the definition itself contains abstract concepts such as values, standards and approaches. And yet, let me try by giving the Basel Committee on Banking Supervision (BCBS) definition:

„Risk Culture is the set of norms, approaches and behaviors of a company regarding risk awareness, risk propensity and risk management. Risk culture influences the decisions of management and employees in their daily work and has consequences on the risks they take.”

Every organization (regardless of its legal form and size) has a corporate culture and a risk culture. The decisive question is whether this culture is rather positive or rather negative for the long-term success of the company.

Risk culture would therefore be like a Petri dish which promotes the development of a good attitude towards risk.

Why is risk culture so important?

To achieve its goals, every business must take certain risks. A company’s risk culture has a decisive influence on the success or failure of its risk management as well as the decision-making capacity and performance of the company.

Companies with an inappropriate risk culture unwittingly encourage their employees to take risks beyond tolerance limits, defined behavior patterns and policies.

And even worse: the unacceptable risks taken by certain collaborators or groups often go unnoticed (or interest no one)!

In the most serious cases, this results in serious financial damage and/or harm to the company’s reputation.

What is the role of management and that of the Risk Manager?

Developing and encouraging an appropriate and sustainable risk culture is first and foremost the role of management in any company. An integral part of this risk culture is the “risk appetite” defined individually by management as part of the risk management strategy. This appetite allows risks to be taken and managed within the capacity to bear risks, with a view to achieving strategic objectives.

It is therefore up to management to apply a top-down approach to risk culture communication and ensure that risk culture continually coincides with the company’s strategic objectives. The leadership culture mentioned above, therefore the position of the management itself, plays a decisive role. Company management should ask themselves the following questions:

  • What does our risk culture currently look like and how can we improve risk management within that culture?
  • What do we want to change in our risk culture? In which direction do we want to go?
  • What must we do to achieve this? What does our roadmap look like? Who or what do we need?

Among risk managers, there is not yet consensus on how best to help company management answer these questions. But organizations like the Institute of Risk Management (IRM) believe that Risk Managers, as agents of change, can make a big contribution to improving the culture and management of risk within an organization. existing entrepreneurial culture.

If you can’t measure it, you can’t manage it

The reorientation of risk culture is a change management project that should not be underestimated and whose progress and degree of achievement of objectives must – as with any other project – be regularly monitored. Alongside the definition of processes and responsibilities, a centralized and easy-to-use IT tool plays a decisive role.

According to the motto „If you can’t measure it, you can’t manage it“, attributed to the famous management consultant Peter Drucker, a centralized risk management platform creates the basis for effective capture, evaluation and monitoring , structured and permanent of the relevant risks of the company. In addition, it is a communication platform through which risk officers, risk managers and other stakeholders can – regardless of location and time – inform themselves about risks, actions and tasks and exchange information. on best practices and lessons learned.