Everybody is talking about assessing and addressing risk culture.
They talk as if risk culture (the beliefs and so on that drive risk-taking behavior) is not only a major factor in whether risks are at desired levels, but is consistent across the organization.
But, while culture is a major driver of behavior (of all types, not just risk-taking), it is most certainly not consistent.
Consider the executive team.
Do they have an identical attitude towards taking risk? Aren’t some more careful and cautious than others? Isn’t there often a healthy debate when it comes to the timing of product launches or expansions into new markets?
If you don’t have a consistent attitude towards taking risk among the few members of the executive team, how can you expect to have a consistent attitude among the population of employees and decision-makers?
I am not saying that attention should not be paid to culture. If there are conditions (such as severe penalties and repercussions for making a mistake) that can drive behavior in the wrong direction, it is important to understand and address them.
What I am saying is that we should ask a different question.
How can we be reasonably sure that decision-makers will take the desired level of the desired risks, the level of risk that the board and top management want taken to achieve objectives?
Follow that with asking who (individuals and teams) is more likely to take a different level of risk?
Now that we have identified the potential sources of poor risk-taking (and decision-making, by the way), we can start to think about what we are going to do about it.
Options might include expanding or shrinking how we empower certain employees to make decisions and take risks without approval.
Let me close with this.
Are you paying too much attention to risk culture in general and not enough to people who you (or top management) are not confident will make intelligent and informed decisions and take the wrong level of risk (which may either be too little or too much)?
I welcome your comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- A twist on risk appetite - September 21, 2022
- Upgrade to effective GRC - August 24, 2022
- Common sense on cybersecurity - July 20, 2022
