Driving Business Value: Creating a Risk-Aware Culture in Your Organization
Melissa Ryan, Practice Director, Asureti | October 19, 2021
Simply put, "risk is no longer only for the risk professional." This single statement contains two parts: one of awareness and one of recommendation. Organizations where non-compliance is the norm will sooner or later find themselves on the wrong end of a negative event. But those agile and forward-looking companies who build a culture of risk awareness stand to gain strategic advantages in their marketplace.
Companies, of course, need the proper tools, processes, and policies in place to reap such benefits, but it is the underlying culture that unifies an organization and provides the agility to drive business value when it comes to fostering a risk-aware culture.
A successful risk-aware culture is not derived overnight, and you need to build it and make sure both its implementation and ongoing nurturing receive the attention it deserves. Recently I had the pleasure of speaking at LogicGate’s annual conference, Agility 2021, highlighting what companies can do to build a risk-aware culture. Based on my experience, here are a few high-level recommendations I would advise for a company looking to implement an effective risk-aware culture.
Use business risk language to drive decisions. Incorporating an established and defined risk language into your culture's decision-making will establish its importance to the organization and highlight that everyone really should care about risk. Security and financial language is already used in this fashion; why not risk?
Be willing to ask challenging questions. Don't simply go with the status quo and the norm, but challenge it. Look around and truly observe what is happening in the organization and identify risk-related learnings you can utilize and share. Push forward to be better, highlight the risks, and make sure that they're addressed.
Utilize a risk tolerance approach. Consider organization-appropriate responses to different types of risks. Classification of vendors and partners based on the availability of systems or security and information is an example of applying thresholds for risk tolerance-based actions.
Communication is key. Make sure risk considerations and allowed responses (risk tolerance!) are well understood throughout your organization. This requires continual reinforcement. Communication needs to flow throughout the organization—down from management, across functional teams, and upward in feedback loops. Communication across the organization regarding risk is key for true risk awareness.
Think about how to embed, reinforce, and how to make real risk culture stick. What will resonate best with your organization? Review your organization's relationships, communication, and employee interactions to identify how to best operationalize risk management.
Risk is truly the responsibility of everyone in an organization. Hopefully, these recommendations have inspired some ideas for how you can look at your current company culture and identify some creative ways to push your organization to grow and build a more risk-aware culture.
Asureti: We are data protection experts who know the importance of information assets to your business. We’ve tackled the challenges in protecting and leveraging assets for positive business outcomes. Asureti brings that experience, knowledge, and problem-solving passion to your organization. To learn more about Asureti visit asureti.com or send an email to [email protected] If you'd like to learn more about LogicGate's holistic GRC platform, Risk Cloud, visit logicgate.com or request a demo.
Driving Business Value: Creating a Risk-Aware Culture in your Organization was a fireside chat session during Agility 2021, Risk Reimagined. Melissa Ryan, Practice Director at Asureti, joined Sara Haven, General Counsel at LogicGate, to share tips on building a culture of risk awareness.