World Risk Day Blog

Have Your Say

Why is it so hard to embed a risk culture?

Posted by: worldrd • Posted in: Blog
Posted on June 08, 2012


Guest blog post from Sheralee Morland of IRMSA (Institute of Risk Management South Africa)

You have tried everything, except for going down on your knees pleading, to implement risk management in your organization and yet obstacles remain. The organization is still met with nasty surprises, sometimes splashed across the newspaper, risk is not embedded throughout business processes, informal risk practices abound and risk is not a part of everything management and staff do…

Why oh why is that, you may ask yourself…?

Top of my reasons is that risk culture is just not what it should be, can be or ought to be! And yes you may be thinking that ensuring a sound risk management culture is easier said than done….

Be that as it might be I am of the view that critical success factors or key elements of an effective risk culture include but are certainly not limited to:

  • Risk management philosophy – does the Board and executive management have a real aspiration to practice good risk management and better yet – would they like to strive for world-class risk management? Do they set the right tone – do they practise risk management by example? Do they give sufficient management time to reflecting on emerging risks and to the upside and downside of risks associated with the development of new processes and products – some ever increasingly more complex?
  • Strategic Intent – is risk management included in the main strategic focus areas – for example, if client centricity and managing for value are strategic focus areas – is another – managing risk as an enabler?
  • Directors on your side – is there a member of the Board or risk committee who is passionate about proper and effective risk management – if so, do you have their ear and support to further your cause? Do they whole-heartedly participate in the annual risk assessment or when new and emerging risks are considered? Do they appear well prepared for risk committee meetings with healthy challenge and debate and encouragement of the escalation of risks rather than the concealing of bad news?
  • Lessons learnt – when bad things happen (and they do) are pitfalls understood and dealt with in a constructive manner to prevent the repeat thereof? Is awareness heightened of what can go wrong and does go wrong so as to widen the knowledge of potential risks? Is there demonstrable reflection by management and the Board of emerging/evolving risk?
  • Is responsibility and accountability clearly defined and engrained in the way the organization organises itself and is this clearly described in annual reports and documents available to stakeholders – for example a 3 lines of defence concept ?
    • 1st line of defence Focused and informed involvement by the Board and executive, accountability and responsibility of business management, all supported by appropriate internal control, risk management and governance structures and processes.
    • 2nd line of defence Independent risk oversight and monitoring by Risk, Governance and Compliance functions
    • 3rd line of defence Independent assurance provided by Internal and External Audit
  • Scorecards, mandates/charters and appraisals – is risk management a component of each staff members job profile and scorecard? Are accountabilities for risk management understood at all levels in the organization and written into monitoring committee charters? Is appraisal against these regular and constructive? Is training offered particularly where evolving risk requirements have become more complex in nature to management, staff and directors?
  • Singing from the same hymn sheet – Is a common understanding created through the use of governance frameworks; parameters set to enable but not hinder the management of key risks to the industry type in guiding policies; common risk language understandable to all and not just risk specialists?
  • Regular reporting – are risks identified, assessed, monitored, managed and reported in an easily understood and effective manner? Free from unnecessary detail – short, succinct and impactful to facilitate decision making and the design of management actions/remedies? Are staff afraid to report? Are matters raised swept under the carpet? Is there a whistle blowing line and are whistleblowers protected?
  • Selling the benefits of good, solid and robust risk management – Does risk management live in your organization or is it just a case that the boxes can be ticked? Important is an ERM team in place who are energetic to create awareness and understanding. Demonstrate that a strong risk culture will determine the way risks are identified, understood, discussed and acted on. Be convincing about it being essential as a foundation for risk governance!

Good luck… the benefits are worth the effort!

I’d be interested to hear your views and experiences on embedding a risk culture within your own organization…

Sheralee Morland is Exco Vice President of IRMSA (Institute of Risk Management South Africa)

(3) Responses to “Why is it so hard to embed a risk culture?”

  1. Horst Simon says:

    Great way to start discussions here Sheralee! I am convinced that the world is waking up to finally realising that it is not about systems, processes and models, it is about the people. You should look for the “Risk Culture Builders” Group on Linked-In, we are around 600 “members” talking about this, sharing and helping each-other.

    We had an ORM Forum two weeks ago and an ERM Conference last week here in Dubai; at both events the focus was on Risk Culture. The Future of Risk Management lies in the ability to foster new behaviours, both the behaviours we want to ENCOURAGE and the behaviours we want to AVOID.

    You can also join the discussion on the “Risk Culture Builders” page on Facebook

  2. Paul Ellis-Smith says:

    Fabulous blog, I agree with everything you’ve said. But I would go further and say that your critical success factors are necessary but not sufficient.

    From the perspective of the CEO or a BU Head the key goal is always going to the creation of shareholder value. Risk management processes, workshops, population of databases etc are always going to be viewed as a tax on time and resources. It’s a grudge, much like owning a fire extinguisher – you only want it if something is going wrong!

    Then there is the simple fact that the best business leaders have a vision that is inspiring. This usually is a vision of growth and profitability and a culture of openness, trust and enthusiasm coupled with an entrepreneurial mindset, which is fundamentally a risk taking one. It is easy for such a manager to see ERM and governance as a bureaucratic overlay which merely puts the breaks on performance. It is hard for such a person to be passionate about risk management. In fact I would say that the only people likely to be passionate about risk management are risk managers. That is because to the risk manager, risk management is an end in itself. The vision, for them, is or should be that their organisation has clock work risk management and everyone buying in. To them, the benefits are self evident – who wouldn’t want an organisation where all risk is perfectly managed? Unfortunately, for line management it is not so simple, risk management is usually secondary to achieving operational KPI’s and at worst, a barrier to delivery.

    A risk management culture and an entrepreneurial culture appear to be irreconcilably at odds. However, this is not so. It is not a zero sum game and shouldn’t be seen as such. The truth is that both mindsets are necessary for an organisation to survive and thrive.

    The key lies in the the COSO framework step: objective setting. If one views a risk as anything that prevents the achievement of a business objective then risk management can sell itself as a business partner that helps the business to achieve its objectives. It does so by analysing and managing those things that can and do prevent their achievement. So a culture of risk management is positioned not as a rigorous and disciplined adherence to a tick box process (although this remains necessary) or certainly not a culture of risk aversion (which would surely lead to stagnation and eventual failure) but rather the comfort that the obstacles and threats to the achievement of business objective are identified and managed. I suggest a healthy risk management culture would see risk professionals involved in all tactical and strategic discussions, bringing an enabling, rather than devils advocate mindset but identifying issues and working with management to solve them.

  3. Brendan Sweeney says:

    I found this to be an excellent blog with two superb replies.

Leave a Response



We welcome guest posts!

Please submit your guest blog post with a short bio to All posts should be under 1000 words and are subject to review.

Connect with Us!