It would be difficult these days to survey the landscape without seeing a veritable minefield of risks: natural disasters, data breaches, and quality-control failures resulting in widespread product recalls. No wonder risk management is such a hot topic.
And while big corporations are adopting formal methodologies such as enterprise risk management (ERM) systems or hiring chief risk officers, midsized businesses may not find such options within reach.
That doesn’t mean you ignore risk. Rather, you make risk management part of the decision-making process at every level of the organization. In a 2010 white paper, management consulting firm McKinsey & Company recommends a top-down, bottom-up approach to risk management, which involves training middle managers and front-line employees on how to identify risks in their area, and establish a process in which these threats are communicated upward for rapid evaluation and mitigation. Here are a few considerations when building a risk-intelligent culture:
- Communicate core values. Changing corporate culture to embrace risk awareness and risk management starts at the top. Business owners and C-suite executives must define and communicate core values that emphasize how you do business, and the commitments you make to core constituencies, including customers and employees. This could be part of, or augment, an existing mission statement. What’s more, senior leadership must walk the walk, modeling these values in their behavior.
- Create a safe environment. One of the biggest cultural barriers to effective risk management is fear among employees and middle managers that identifying risks could lead to retribution: problems get swept under the carpet, mistakes are buried, and potential roadblocks left out of strategic analyses. Companies that foster open communication and embrace challenges to authority are far better prepared to face potential risks than those that stifle such discussions. Risk reporting should be acknowledged and rewarded; at the very least, employees should be made to feel their concerns have been given careful attention.
- Take a just-enough approach to controls and processes. In “Managing the People Side of Risk,” McKinsey & Company partners Alexis Krivkovich and Cindy Levy argue that while controls and processes that reduce risk are critically important, over-regulating how people perform their jobs can have the opposite effect: Employees skirt rules they see as unnecessarily burdensome, which undermines respect for all procedures, even more reasonable ones. The better approach would be to engage front-line employees in devising processes that fit into the way they work. Their participation may well bring to light overlooked issues, and has the added value of their taking ownership - and accountability - for results.
- Provide a conduit. Even without an elaborate ERM, midsized companies can set up a process for identifying and prioritizing risks with a cross-functional risk management team. The formal structure underscores the importance of managing risk across the organization, while providing the ability to fully recognize company-wide threats and opportunities, as well as a way to respond quickly to unexpected issues as they emerge.
- Remain vigilant. Another threat to effective risk management is benign neglect. The longer you operate without serious incident, the more potential risks fall off the radar. Conducting periodic reviews and spot-checks will keep everyone on their toes with the added benefit of uncovering more potential issues. Additionally, it makes sense to refresh the membership of the risk team, perhaps by establishing “term limits.”
It’s important to point out that creating a risk-intelligent culture doesn’t mean avoiding risk altogether, nor does it mean stifling innovation. In fact, the opposite is true: Only by being fully aware of the risks involved in any initiative can you have the confidence to move forward.
