How to Improve Your Company's Risk Culture
Risk is a significant factor for every organization, but few do enough to proactively manage it.
Risk management is a critical pillar of organizational governance, but the degree of uptake varies tremendously from company to company. Some enterprises face the challenge head-on and take steps to be among the industry leaders. Others see the sea change as a passing trend and feel that devoting too many resources to it would be a waste of time.
The gulf between these two types of companies is widening. And in between them are a large number of companies that take a middle-of-the-road approach. They have fledgling risk management systems that haven't taken flight and aren't well integrated into their business processes.
While some of these in-betweeners aspire to become leaders in risk management, others have simply cobbled together something that looks like a risk management system but doesn't actually do the work of one. You could call these Cargo Cult Managers - their efforts are largely performative and mostly toothless, with management systems that are siloed from other corporate processes and have little influence over them.
In these organizations, risk management often becomes the involuntary purview of another department because a bid, proposal, or acquisition requires them to provide of of a quality and risk management system. This is a situation I see often in small businesses.
Where does your company fall in all this? Are you among the leaders who have a robust risk management program? Or are you closer to the laggards who don't prioritize risk management?
To give you a better idea of where you fit, let's take a closer look at these different types of risk cultures and their characteristics.
The leaders see risk-based, integrated management as the future - and they are taking their place in the front row. To earn that spot, they leverage technology and the specialized knowledge of consultants to strategically implement risk management systems in line with today’s best practices and the anticipated approaches of tomorrow.
Leaders are proactive in uptaking emerging technologies like artificial intelligence in the hopes of gaining an edge over the competition. Rather than bemoaning that AI may replace us in the workforce, they are looking for ways to use it to empower their organization and its members. For instance, using predictive analytics to offload the number crunching to machines and continually improve the outputs that allow us to manage risk.
Companies that are leaders in risk management are also conscious of sociocultural and industrial trends. They pursue initiatives in line with what is happening in the world and have well-realized ESG and DEI initiatives, seeing these as having an impact on risk for the company. After all, finding the right people, retaining the best employees, and improving public perception of the company all have lasting impacts on its ability to perform.
(Find out Why EHS Is Vital to Your ESG Program)
According to a recent report by Origami Risk, this is an shrinking demographic. In 2022, 66% of companies fell into this category, based on self-report. In 2023, only 40% did. While some of this change is due to a slight increase in the number of leaders, most of it can be attributed to a ballooning of laggards - from 24% in 2022 to 47% in 2023.
The in-betweeners may have a risk management system in place or under construction, but it’s usually siloed and under-utilized - a powerful tool kept on display in a glass case.
Because risk management is not an applied practice at these companies, the amount of time wasted can be significant. They make decisions with incomplete information, perform risk assessments when there is no decision to be made, and lack the firepower needed for the probabilistic phase of decision making. Such a company might even miss out on a "stochastically dominant" choice (basically a no-brainer) because they don't have the data and computing resources to identify it.
Organizations can remain stranded in this intermediate category because they fail to gain insights from specialized consultants and experts. Others will break through and ascend into the leader category thanks to a willingness to adapt, greater investment in risk management, and buy-in from top management. Unfortunately, many will never strengthen their risk culture and gradually settle down with the laggards.
You will hear a lot of skepticism in the hallways and boardrooms of a laggard organization. Management will point to the deflated promise of blockchain and cryptocurrency as a reason to ignore AI and other emerging technologies.
For Laggards, risk management is simply not a priority and buy-in from those at the highest levels is lacking. They have no budget or vision for risk management. It ranks low, alongisde other tiresome corporate obligations. If they have a risk management system at all, it is siloed, incomplete, and doesn’t perform any meaningful work.
Laggards prefer “tried and tested” methods, which may or may not be efficient or effective. If any component of their risk management system works, it's only by happenstance because they haven't done the work to assess the risk of lost (including the financial and time costs of performing inefficiently). Laggards fail to see the benefits of efforts that are not immediately productive, like ESG and DEI initiatives. Those things can't be put on an invoice and billed to a client, and are therefore misidentified as worthless.
Unfortunately for these organizations, there is no sitting out of the risk game. You either play it well or play it poorly. Uncontrolled exposure might not sink a company overnight but it can incrementally disable an organization.
Or who knows, perhaps a laggard organization will get lucky and hang in there. But who wants to leave that up to chance?