How To Embed Risk Awareness In Core Corporate Culture

It is now five years on from the financial meltdown caused by a catastrophic failure of risk management in the financial services sector. The causes of the meltdown are many but two things stand out:

  1. That over-reliance on risk management models, systems and tools – which were used by many but understood by a very few – set the stage for the meltdown;
  2. That human behaviour, driven by financial incentives and rewards, was in large part responsible for the recklessness that triggered it.

There is now an increased focus on risk management in the organisation as an enabler of long term growth and profitability.  However, significant strides in the use of risk management will only come through the development of a risk culture across the entire organisation, so that risk is no longer seen as the preserve of a select few within the organisation, but an enabling capability that provides value to everyone in it.

Why a change in culture is needed

A recent report by the Association of Certified Chartered Accountants (ACCA) written in the aftermath of the 2008 collapse was quite clear on this.  It said:

“In any analysis of the risks that bring down organisations, or come close to it, the root cause is usually identified as something to do with corporate culture”

The role of the CEO and the Board in culture change

The board, led by the Chief Executive Officer (CEO), has the greatest impact on the culture of the organisation because:

  • It’s the Board that decides the level of risk that it wants the organisation to adopt
  • It’s the Board that decides the organisation’s goals, activities and priorities
  • It’s the Board that determines, through the use of financial and other incentives, which behaviours to reward and through this determines the behaviours of everyone else in the organisation.

If we are to have a more risk aware culture then the role of the Board must be to promote the values and behaviours that are vital to a more risk-aware culture and to eradicate those that are no longer wanted.  They can do that through a number of measures, including:

  • Creating the right vision for the organisation
  • The use of incentives
  • Enforcing good governance
  • Ensuring compliance with the risk process
  • Company-wide risk management training
  • Coaching and mentoring to embed risk awareness
  • Demonstrating leadership

Creating the Vision

The first and most important thing that the Board can do is to create a vision for a more risk aware organisation.  This vision needs to be simple, it needs to be clear and it needs to be communicated to everyone in the organisation so they can understand the Board’s vision and translate it into everyday actions that they can take in their own work. This vision must include the level of risk appetite that the organisation is willing to take, as this is a feature of the organisation’s culture.

The role of incentives – you get what you pay for

It doesn’t take much to see that incentives skew an otherwise level playing field or set of choices.  In financial services commission-based selling has led to products and services being sold to people for whom these products were not just sub-optimal, they were actually dangerous.  In banking, bonuses resulted in huge risks to the organisation, but these risks were pursued because of the benefits to the individual; bonuses encouraged the very behaviours that were detrimental to the organisation and its customers.

Now it is time to change course.  We have an excellent opportunity to use incentives to drive the development of a risk aware organisation for the benefit of the organisation as a whole.  What the Board needs to do is to align benefits with improvements in risk management, so that people get rewarded for taking actions that reduce the negative effects of risk and exploit positive risks or opportunities.

The need to invest in cultural change

Investing in skills training pays dividends; companies that invest in their people tend to have a higher return than those that don’t.  However, in a down market it is common for companies to slash investment in people.  So the courageous Board needs to do what other companies won’t do.  They need to invest in training, coaching and mentoring to embed the risk management skills that are vital to their future. Nothing demonstrates that the Board is backing the change to the company’s culture like an investment in people.

Not more governance, just better governance

It never ceases to amaze me that project after project gets into serious trouble, particularly having been under the direction of a Project Board or other group of executive stakeholders.  Often these projects have been running for a very long time.  Then I read the results of a report on the management of troubled projects which found that just 20% of executive stakeholders provided the sort of close, ongoing supervison and timely intervention needed by complex projects.  The rest either:

  • Didn’t get involved until something was too difficult for the project manager to resolve (45%)
  • Didn’t get involved until the project was already in serious trouble (28%)
  • Didn’t get involved at all (7%).

This can’t be allowed to go on any longer.  Chief Risk Officers (CROs) need to call out stakeholders who fail to provide adequate governance.  To do that they need the power to stop projects that aren’t in governance or are being poorly directed.

Compliance isn’t optional any more

The risk function must ensure that all areas of the organisation, including projects and programmes, are part of their enterprise risk management (ERM) process.  We’re still seeing examples where failed projects are causing loss to the organisation because risk is not factored into decision making.  Project risks are still managed within silos and we have to break these down.  If these projects were brought within the scope of ERM the risks and the actions to manage them would be much more visible.

Time to try training

Increased investment in risk management training will drive increased use of the existing tools and make better use of limited funding.  This will drive improvements in communication and feedback channels.  This in turn will provide the Board with better information about risks so that they can incorporate risk into decision making.  Training will also provide the common language, artefacts and behaviours that are required for cultural change.  This training has to be mandatory and it has to be delivered at all levels, with no back-sliding, opt-outs or deferring “until a more convenient time”.  That time will never come.

Mandatory facilitation for planning workshops

Although training can provide the specific risk management skills and tools needed by the organisation, there is a risk that by the time a new project gets underway many of the requirements, scope and schedule risks have already been missed.  One way to deal with these specific risks, while at the same time putting projects on the right path, is to use facilitated project workshops.

The role of a facilitator in project workshops is to:

  • Bring the key participants in the project together so that they get a common understanding of the project
  • Develop a clear vision and goal for the project which can be used to drive the development of plans, budgets and risks
  • Identify the key workstreams, deliverables, dependencies and milestones.

The workshops themselves are very effective at eliciting key information needed by the project manager to produce detailed plans.  They also provide a reality check for the whole team by allowing them to get a better understanding of the total project than they would have working alone.  Finally they allow the team to start the team formation process by getting to know each other and by getting the team to work together.

Having spent much of the past year facilitating projects of various kinds and sizes in the financial services sector, I can say that not only do they work, but that I wish that I had had someone facilitate some of mine in the past.  I’d definitely recommend facilitated project workshops to any organisation looking to improve its handling of risk, provided that:

  • They are mandatory.  When we first introduced the new project framework we asked projects to complete an initiation workshop but didn’t insist on facilitated workshops.  Within a few months we could see a clear difference in outcomes between those that used a facilitator and those that didn’t.  We then pushed for mandatory use of a facilitator.  Compliance with the new processes rose directly as a result.
  • They are facilitated by someone outside the project team.  Many of the initial project workshops were led by the project managers.  They felt that, as they were experienced, they didn’t need a facilitator.  One of the benefits of having an external facilitator is that the project manager becomes a participator in their own workshops so can contribute more than they might otherwise do if they are leading the workshop.  By having a facilitator lead the event it also encourages others to speak out in ways that they might not if the project manager was in charge.  Finally, by using an external facilitator it’s easier to ensure that the quality of the facilitation stays high.
  • The facilitators are not people actively managing projects.  A former client of mine wanted to use their more senior project and programme managers as facilitators.  They found that they struggled to get them trained because many of them were too busy working on their projects to attend the training.  Later, once they were trained, they then found that they were too busy to spend the time needed to prepare and run the workshops.  As a result we had a backlog of projects that were waiting for a facilitator to become available, or they went ahead and held the workshops with the project manager acting as the facilitator, which affects the quality of the outcome.  Instead, get experienced trainers, department heads, and team leaders trained as facilitators.

Use coaching to power performance and productivity

The benefits of training are typically high but short lived.  If the skills acquired through training are not actively used then they wither and die.  It’s as true for risk training as any other.  This is where coaching comes in.

Training combined with coaching delivers long-lasting improvements.  Where training can add 20% or more to productivity, training plus coaching can boost this productivity improvement to almost 90%.  These improvements are not just limited to the increased use of the skills being trained.  The other benefits of coaching include:

  • Improvements to productivity
  • Improvements in creativity
  • Improvements in working relationships
  • Improvement in job satisfaction

What would a 90% improvement in risk management do for your company?

Mentor the next generation of risk managers

If the aim of coaching is to improve peoples’ performance and through that their ability to meet and exceed objectives, then the role of mentoring is to pass on experience.   Some people use the terms coaching and mentoring in the same context, as if they are the same thing.  I’d make a distinction between the two.  There are several key differences between coaching and mentoring, including:

  • The seniority of the mentor in relation to the mentee
  • The level of subject matter expertise
  • The level and nature of feedback
  • The length of the mentoring relationship

There is one overriding reason for recommending mentoring to support the long-term cultural change needed to embed a more risk aware culture.  That is to develop the next generation of risk managers and leaders in the organisation.  By mentoring the next generation of risk managers we can:

  • Reinforce the benefits that comes from risk management
  • Provide insights, lessons and advice in a way that isn’t open in a coach / coachee relationship
  • Help the mentee to assimilate knowledge and experience.

Provide leadership

One final challenge for the Board is to close the gap between what they see as their key priorities for risk management and what they are doing about it.  When asked about the most important qualities in instilling a risk culture, the number one item was strong leadership.  Boards need to demonstrate it.


This has been the longest recession in approaching one hundred years, but it won’t last forever.  Growth will return but the next five years will see a changed business landscape.  The organisations that will adapt best to the environment will be those which have accepted that the toxic, greed driven past is over, that improvements in risk won’t just come from technology and have taken the greatest strides towards a more risk aware culture.


British Computing Society (2003): “The Challenges of Complex I.T. Projects: The report of a working group from The Royal Academy of Engineering and the British Computer Society”

Accenture (2011): “Report on the Accenture 2011 Global Risk Management Study”

Zurich (2011): “Risk Management In A Time Of Global Uncertainty

Financial Services Authority (2012): “Risk To Consumers From Incentive Schemes

International Personnel Management Association

The Economist Intelligence Unit (2009): “Beyond Box-ticking: A New Era For Risk Governance

Economist Intelligence Unit (2010): “How Mature Financial Firms Deal With Troubled Projects

The Manchester Review (2001): “Maximising The Impact Of Executive Coaching: Behavioural Change, Organizational Outcomes and Return On Investment