Risk Culture and Its Maturity
Risk culture is the soft side of risk management and often gets taken for granted, even though it is a critical dimension in building an effective risk management architecture. At a basic level, risk culture is the way management and everyone else in the organization feel about risk - recognizing that feelings, attitudes and perceptions about risk will influence how it is managed. The risk culture sets the tone of an organization, influencing the risk-consciousness of its people as they conduct their daily activities and pursue their business objectives.
Risk culture is the degree to which management recognizes the need for risk management competency within the organization. It encompasses an organization’s appetite and tolerance for risk in its daily operating activities and decision-making processes. (Risk appetite is the desire or tendency to take on risk, ranging from risk-averse, risk-neutral, risk-taker to risk-seeker. Risk tolerance is the maximum amount of risk that the enterprise considers acceptable.) An organization with a strong risk culture is committed to the establishment of standards and protocols for identifying, assessing and managing risks.
As the risk culture matures, the paradigm shifts. Previously known and imminent risks are attacked, as in crisis management. With experience, internal risks are mitigated. After the house is in reasonable order, the external risks are engaged. Then project-level risk management is supported by enterprise risk management. The larger problems are solved using long-term strategies. This is the time when risks are exploited. As risks are solved, the associated opportunities are seen with clarity and pursued with added focus.
When risk perception is respected, there are many risk owners. These employees own the risks because risks affect their goals and objectives. They do not shun risks but welcome risk discovery and appreciate its positive aspects.
Decision analysis practitioners take risk analysis in their stride. All decision analysis methods consider risk and payoffs in decision alternatives and allow the decision maker to make optimum choices. The decision analysts examine risks in a scientific manner. They value risk perception as a way to make the right choice. To take a decision is to choose among risks. They choose the least harmful option and acknowledge the fact that risks prevail in the real world.
When the organization matures and possesses prediction models, risk forecasting becomes an obvious output. Such models are not only used to predict the steady state-values of processes but also to simulate dynamic variations and risks. All estimation models are potential risk forecasters.
The growth architects of an organization cautiously hunt for opportunities. Their caution is actually risk perception. Soon the employees realize that perceiving and responding to risks will pave the foundation for growth. An organization that does not see risks is blind. An organization that does not respond to risks is dead.
As the organization achieves capability, the risk response shows progress that is continual but subtle. Here is a list of risk-response types, illustrating a progression in risk management:
- Risk mitigation
- Risk prevention
- Risk prediction
- Risk exploitation
Mature risk cultures imbibe an ability in project teams to perceive and solve risks with speed and energy. The mature teams make detailed project plans and map risks to subtle shifts in microlevel tasks; thus, they are able to detect risk symptoms at the task level and predict risk early in the project. The frequent sharing of risk information, exchange of successes and failures in risk mitigation, and a frequently visited common risk repository all have one significant consequence: the mature project team cultivates a sixth sense for risk from the continual corroboration of risk data and assimilation of risk practices. Risk culture fills gaps in the risk management process, makes the project team vigilant well beyond the scope of defined processes, equips people with an organic power to detect and solve problems posed by risks, and empowers processes with an everlasting vision and energy to hunt for risks. Although, most risk management processes are capable of dealing with known risks, a risk culture has the power to see unknown risks. When it comes to project survival in the midst of catastrophic risks, one relies more on risk culture than on defined processes. Risk culture, which is the accumulation of risk practices, experiences, and practical wisdom, is a worthy complement to defined risk management processes. Maturity involves years of practice and mastery over risk management processes.