Embedding risk management into the culture of an organisation is realised by linking your risk management to learning and development efforts, advises Brett Dorney

Organisations are increasingly investing considerable time, effort and resources into ensuring that risk is properly managed, and that robust risk management frameworks, appropriate to the complexity of the organisation, are being implemented. A key plank of the implementation is, however, being overlooked by management of many organisations in their determination to address strategic risk, ensure compliance with governance commitments, and manage financial and operational risk, all of which may impact on the current or future performance of the organisation. Many believe that simply adopting a robust top-down approach to rolling out a risk management policy and risk management framework will embed an approach to risk throughout the organisation.

Such implementers fail to sufficiently consider that an endorsed organisational approach to the management of risk is only truly hardwired into the organisation when employees act in a way that is consistent with the risk management policy and in line with the risk appetite of the organisation, and that they do so repeatedly over time, regardless of factors that might ordinarily upset the approach – such as employee turnover or significant interruption of normal activities. Only when the organisation’s expectations about how their employees behave in relation to risk has become 'the way we do things around here’ can implementers lay claim to fully embedded risk management.

Start with the end in mind

If those with responsibility for risk in organisations start with the end in mind when considering what embedded risk management looks like, and include the knowledge, skills and behavioural responses of the employees, consistent with the risk appetite of the organisation, then a series of long-term actions is revealed that leads inexorably to an organisational culture where risk management is integral and pervasive.

The knowledge, skills and behavioural requirements for embedded risk management can be included in the learning evaluation approach from the outset. Doing this provides a valuable additional measure of the traction and transference which is being achieved in efforts to embed risk management.

Think about the human factor

Collective individual behaviour in relation to risk will not materialise simply by implementing a risk management policy, resourcing a team, assigning responsibility for risk management to it and putting effective controls in place that assist with reporting variances. Rolling out a risk management framework from the top down will improve the traction, but will not guarantee it is embedded. Employees are human and instinctively operate individually. In the collective context where humans come together in a workplace, for the purposes of risk management that collective behaviour needs parameters. By supporting the implementation of risk management with a programme of thorough and relevant training, learning and development, those parameters, guided by relevant and appropriate knowledge and skills, are defined. The long-term effect will be to ensure that collective actions over time operate within the risk tolerance of the organisation and become a matter of course.

“Employees are human and instinctively operate individually

This is true for any size or nature of organisation, but especially for those with multiple stakeholders. Therefore the scope for considering how learning can assist with this process includes any medium corporate or public sector organisation. The rule of thumb is: if the organisation is large enough to employ multiple people and worry about optimising risk transfer, then it is large enough to use learning, including training, to support the embedding of risk management into the culture, so that it becomes 'the way people do things around here’.

Risk and its upside

Critically, it is not just when considering risk at the strategic level that people and culture issues arise. Consider this scenario: I am an employee in a mid-sized organisation where the senior management takes risk management at the strategic level seriously, so that everyone employed there averts negative risk and realises every opportunity. As an employee I will be faced with decisions that will reference that appetite or tolerance to risk as I go about my general duties. I may also be faced with specific additional risk as a result of what I am employed to do – examples might include financial, operational and hazard type risks as set out in the risk radar (Figure 1). I need to be prepared for dealing with risk of every type that may affect my ability to perform optimally.

Remember that risk can also represent an opportunity. An embedded, enabling risk management culture will ensure that an organisation's people are both in control of the negative risk impacting the organisation and spotting opportunities in risk, both of which are critical to long-term organisational performance and success.

Engage the people with risk

Central to the set of long-term actions is the need to engage the people of the organisation with risk so that critical mass is achieved. To set an example, managers must be role-models for the required behaviour and be held accountable for their actions. This must be supported and built up with regular, planned communication emphasising: the implementation of risk management and the risk appetite, the relevant knowledge, skills and behaviours required, and finally the collective parameters for risk in the organisation.

Learning to embed risk

“To set an example, managers must be role-models for the required behaviour

With a thorough assessment in hand of needs and a matrix of requirements determining the knowledge, skills and behaviours for each risk issue by type of risk, thought can turn to matching available training and learning resources to those requirements.

Always start by giving employees the relevant risk management knowledge ('what'). Areas that must be addressed include understanding of risk and risk management, the risk management process (assessment, reporting, treatment/control and monitoring), and relevant knowledge of the type of risk or risk responsibility in relation to the specific organisational risk radar. Examples might include general understanding of risk in an organisational context, specific alternative risk financing knowledge for the CFO and risk assessment knowledge for health and safety coordinators.

Public courses in these specific risk knowledge areas are a useful, inexpensive way of delivering solutions on an individual basis or for smaller organisations – the advantages being that they are low cost, generally widely available and that training needs can usually be addressed relatively quickly. They do not, however, usually link into the unique risk circumstances of the employee’s organisation. These types of courses usually address the knowledge gap issues only.

Moving on to giving employees the relevant risk management skills and behaviours ('how') presents a different challenge. Public courses are unlikely to be able to achieve transference of 'what' into 'how' due to the challenges of delivering content to people from a variety of backgrounds, sectors and organisations at the same time. The solution invariably involves bespoke in-organisation training and learning opportunities that are more closely tied to the particular requirements of the organisation.

Special consideration of appropriate methodologies for training (classroom, e-learning, workshop-based, practical, on-the-job) will be influenced by the size of the organisation, its nature, context and culture, the unique language or terminology prevalent in each organisation and the fit with the strategic priorities of the organisation. Solutions will be available from suppliers that are engaged in the support of risk transfer activities for organisations. They involve coordinating specialist skills with the requirements of dynamic learning, or, in large organisations, by bringing the skills of the learning and development and risk management departments together to develop in-house material.

Articulating success

What does success look like once an enabling organisational culture has risk management embedded into it? Employee audiences with specific risk management responsibility know about the organisation's approach to risk and its upside, appreciate risk in relation to what they should do, and do whatever is required by the risk management policy and framework to mitigate risk in the organisation and realise every opportunity presented. They do so as a collective and continue to do so repeatedly over time.

A planned programme of learning and development concerning risk and risk management in relation to the needs of the organisation will ensure that employees embed the required risk knowledge, skills and risk mitigation behaviours in relation to the requirements of their roles and the organisation. By working with their learning and development or training colleagues, those with responsibility for risk will embed risk management into the culture of their organisation, strengthening the organisation's resilience in the longer term.

Embedding risk management into organisational culture

A quick review of the status of your risk management programme will identify which of the following outstanding long-term actions apply to your organisation.

1 Be clear about the drivers for risk management throughout the organisation – including compliance requirements, regulations, competitive pressures, contractual expectations, stock exchange, ratings agency or analyst expectations, public sector governance requirements, desire for good management and optimum opportunity management.

2 Start with the end in mind – define the future reality for managing risk in the organisation and the outcomes you wish to realise in organisational and behavioural terms for employees and identify an evaluation approach to measure success.

3 Define the organisation's audiences for risk management – identify the roles or groupings of people that need to understand and apply risk management to what they do.

4 Engage employees in their attitudes and perceptions of risk – interviews, workshops, focus groups, surveys – if done as part of early communication it will make addressing any gaps much easier later.

5 Articulate a clear risk management policy, framework and appetite or tolerance for risk.

6 Roll out risk management in a top-down manner, supported with workshops and a communications plan for each audience grouping to ensure knowledge of requirements for change at each level. Build in what has been learnt from step 4.

7 Hold relevant people accountable – ensure their performance metrics include risk management accountabilities and make performance matter.

8 Identify a matrix of the risk learning and development (L&D) needs in terms of knowledge, skills and behaviours on the one axis and the risks faced by employees in the four broad categories in the radar on the other axis. Include the behaviours defined in step 2.

9 Link the required subsequent gap analysis into existing training needs assessment processes. Avoid reinventing the wheel, but ensure the gaps between what people need to know in relation to risk, the skill they should possess and how they should behave are determined.

10 Deliver the risk L&D plan and solutions, including training, to address the gaps. This can be as part of a broader L&D plan or stand alone. Be creative about using all sources of learning and training that suit your organisational requirements.