Risk /


Risk management plays a crucial role in the corporate governance of public sector organisations. It involves building structures and mapping out processes that contribute to both strategic and operational success.

This article will provide a thorough explanation of what risk management in the public sector is, why it’s so important and highlight examples of potential challenges linked to public sector risk management.

What Is Public Sector Risk Management and Why Is It So Important?

Public sector organisations will always face different risks that could potentially impact their operation and reputation. These risks can be divided into areas such as financial, compliance, technological and political.

To effectively identify these risks and have suitable measures in place to cause minimal impact; public sector organisations should create a risk management strategy.

A dedicated risk management team should coordinate a strategy. Their role is to capture relevant risks at each organisational tier and monitor the completion of planned mitigating actions to decide whether to escalate the risk.

Change is one of the most critical elements of potential risk and the public sector is currently undergoing an era of significant change. This era of change has accelerated by digital transformation, Brexit and the challenges caused by the pandemic.

Risk management enables public sector organisations to become more reactive to change and make better decisions on how they can operate more effectively in the future, ultimately leading to better citizen outcomes and improved internal efficiency.

However, there are several challenges linked to having an effective risk management strategy in place and public sector organisations must overcome these.

What Are the Associated Challenges Linked to Public Sector Risk Management?

The fast-changing landscape of the public sector can make it difficult for public sector organisations to mitigate risks both efficiently and effectively. However, there are some specific reasons why organisations might find the subject even more challenging than it needs to be:

Lack of Integration

Risk management should play a vital role in the overall strategy of any organisation. Its importance should be embedded into every department so they become more risk-aware when making decisions.

Many organisations find it challenging to integrate risk management into their operation at a departmental level. Instead, the risk management team becomes a silo, leading to poor communication and an abdication of responsibility from individuals.

A Misunderstanding of Risk Management

A lack of employee understanding of the purpose and relevance of risk management can also lead to challenges.

Some may just regard it as a compliance exercise without fully appreciating its importance to the organisation and how it can contribute to overall success. This leads to employees continuing to continue working using old approaches that can’t meet today’s expectations of minimising disruptions.

Instead, organisations need to gain buy-in from their employees during the initial stages of risk management implementation. This can be done by supporting them in embracing new technologies such as AI-driven threat analysis and orchestration.

Growing Privacy Concerns

The introduction of Data Protection (GDPR) has also presented risk management challenges for the public sector.

Data plays a crucial role in minimising risks in areas such as cybercrime and terrorism. However, data protection laws have made it much easier for organisations to breach privacy.

To overcome these challenges related to privacy, public sector organisations need to invest in updating their security solutions, which play a crucial role in managing data safely and using it to aid organisational decisions.

By Piers Kelly


What do we mean by a great risk culture?

Risk culture is the encouraged and acceptable behaviours, discussions, decisions and attitudes toward taking and managing risk within a business or organization.

A great risk culture binds the stakeholders, risk management framework and process together to reflect the values, strategic goals and practices and embed these into a business’ decision-making processes.

Organisational Culture

The overall organisational culture affects an individual’s values, beliefs, and attitudes towards risk. It’s helpful to employ the sociability vs solidarity model (Goffee and Jones, 1998), also called the “Double S” model, which considers culture with two dimensions:

  • sociability (people focus – based on how well people get on socially)
  • solidarity (task focus – based on goal orientation and team performance)

The model identifies four distinct organisational cultures described:

  • Networked (high people focus, low task focus)
  • Communal (high people, high task)
  • Mercenary (low people, high task)
  • Fragmented (low people, low task)

Risk culture

Risk culture can be hard to understand because it covers an organisation’s ability to manage risk.

It may seem like a background concept but business culture influences risk culture. Risk culture is a broad topic because it covers an organisation’s collective ability to manage risk. Still, the more general case of a business’s culture is also influenced by its risk culture, including:

  • Attitude – the way an individual or group perceives and deals with risk, influenced by perception, predisposition, and mindset
  • Behaviour – observable, risk-related actions, including risk-based decision-making, processes, communications, etc.
  • Culture – values, beliefs, knowledge and understanding of the risk a group shares with a common goal. In particular, it is the values, beliefs, knowledge, and understanding shared among leadership and employees

One of the many cultural issues is that people naturally head towards others who share the same culture. An organisation’s culture can self-propagate if recruitment processes and environment remain unchallenged.

Every organisation has a risk culture, or indeed cultures and the question is whether that desired culture effectively supports or undermines an organisation’s long-term success.

What impacts an organisation’s risk culture

The right people


Behavioral risk management refers to controlling and mitigating employee and organizational behaviour risks. Individual risks are the behaviours of employees and leaders that could open the business up to risk.

Organizational behavior is collective behaviour and some of these behaviours could be too high a risk for the business.


A robust regulatory compliance system within effective risk management will considerably impact a business. It will make it less likely to experience risk threat events and ethics violations.


From a health and safety viewpoint, employees have rights and responsibilities for their and colleagues’ well-being. This is expanded into the risk culture to include risk associated with the business ensuring the company culture is in and maintains a healthy position.

Senior management involvement

The Board must make effective risk decisions about what they expect from the business. They need to communicate their attitude towards risk-taking and risk tolerance and explain the difference in impact between a successful and unsuccessful risk as measured by target metrics.


What is risk governance?

It’s the rules, methods, processes, and measures by which we make decisions about risk. It’s negative and positive because it analyses and formulates risk management strategies to avoid (threat) or achieve (opportunity) risks.

Senior management involvement

The Board must make effective risk decisions about what they expect from the business. They need to communicate their attitude towards risk-taking and risk tolerance and explain the difference in impact between a successful and unsuccessful risk as measured by target metrics.


Accountability is a term known to many but not appreciated for the value that it can bring to an organization’s long-term success, including safeguarding against irreversible damage and reputational risk. To make risk accountability practical, the business line must know the acceptable limits on risk-taking.

The accountable person must have the resources and authority to manage the risk.

Issues and escalation

Escalation is the progressive increase in the intensity or spread of risk.

A risk management system must have a process where an increasingly higher level of authorization is required to approve a continuous tolerance of increasingly higher levels of risk.

A contingency (plan) is designed to reduce the impact if a risk materializes. Consideration should be given to developing contingencies for threats and opportunities against the business risk attitude and risk tolerance.

Assessment and Evaluation

An excellent risk culture will improve risk management performance. Because risk culture often evolves as an organisation grows, it may make sense for organizations to self-assess, survey and use focus groups and other techniques to understand the current state of risk culture.

The tone of the organisation

The term tone is the combined impact of all stakeholders on risk management. Communication from the Board level will have little effect if the business employees and other stakeholders hear a different message from line managers, supervisory interaction and other contacts daily.

Information often gets distorted as it moves from one management level to another. There is always a greater possibility for contradictions in communication between team members at the organisation’s top, middle, and bottom. Equally, the risk of executive management being unaware of profound financial risksoperational risks and compliance risks that may be of common knowledge to one or more middle managers and employees.

Physical mechanisms driving risk culture

It’s essential to think about the tone of an organisation and how tangible physical mechanisms can help control it. These mechanisms include a risk governance structure, corporate values, code of conduct and ethics statements, policies, procedures, risk oversight activities, incentive programs, risk assessment processes, risk indicator reporting, performance management reviews, reinforcement processes, etc. Companies and boards must examine various risks, including strategic, operational, financial, IT, etc. They must also consider the organisation’s appetite for risk, how the different risks can interact and how they are managed daily.

Internal attributes driving risk culture

These internal attributes include the attitudes, belief systems and values that drive the organisation’s behaviour, activities and decision-making.

They demand attention while not as quickly seen and understood as physical, tangible mechanisms. For example, how a business handles risk management, control and audit often manifests in addressing weaknesses, escalating issues, and resolving problems. The method and timely nature, or not, in which such activities are carried out provide information regarding a business’s risk culture. So, too, does leadership’s reaction, or lack of, to warning signs offered by the risk management process.

External attributes driving risk culture

These external characteristics include regulatory requirements and expectations of customers, investors and others.

How an organisation seeks out these requirements and expectations and aligns business processes through actionable improvements reveals its resilience.

Subcultures that impact risk management

In response to a changing business environment, a subculture permits a business to be agile in solving problems, sharing knowledge, and serving customers.

However, they can also lead to rogue actors and risk-taking behaviours that harm the organisation.

Relationship to the overall business culture

A positive risk culture does not operate in a vacuum. As previously mentioned, the business’s culture influences it in many ways. Many argue they are the same thing.

How to improve risk culture

As risk is about future uncertainty, it would seem logical that a desirable risk culture would position the business to be proactive and agile. It should quickly recognise a threat or opportunity and use that knowledge to evaluate its response.

Such a risk culture would give leadership and management a time advantage and better decision-making.

Another example of an attractive risk culture might be maintaining a healthy tension between the business’s activities for creating value and its activities for protecting value. Ideally, one activity must not be disproportionately stronger than the other activity.

Once the current risk culture is assessed, executive management should consider whether any organizational changes are needed and define the steps required to implement change.

In transitioning to the desired risk culture, management should try to achieve the following:

Strategies for Achieving the Desired Risk Culture

Embed the change in the organisation

Risk culture should be affected through a business’s overall risk governance process. For example, risk management accountability should be reinforced through committee charters, policies, job descriptions, limit structures, and escalation protocols. To illustrate the importance of responsibility, accountabilities for risk management should be reinforced through committee charters, policies, job descriptions, and limit structures. Procedures and escalation protocols can also support the desired cultural risk behaviour.

Make it a priority for all stakeholders

All stakeholders must support the positive and desired risk culture by demonstrating the desired behaviours through actions and decisions over time and periodically communicating the value contributed by the organisation’s risk culture.

Undertake an integrated approach to the change

If addressed as a stand-alone initiative, change programs with intermittent communication, awareness promotions, and training strategies are mere surface dressing and provide little in the way of a positive cultural change.

When integrated into a comprehensive program that aligns performance expectations, roles, responsibilities, and operational structures with appropriate risk attitude and tolerance, they reinforce the critical aspects of the desired risk culture.

Periodically evaluate progress

Regularly evaluate stakeholders during the change process. Before commencing, it is important to assess the business and understand the pitfalls to provide a baseline for the initiative. Some of the key strategic considerations in this regard to consider before putting things in place are as follows:

  • Leadership support – Is leadership driving this initiative?
  • Ownership of the business’ risk management process – Who is responsible for risk management including the controlling and mitigating actions?
  • Effectiveness of risk management and governance processes – Have the strategies been proven effective?
  • Evidence of crucial business decisions taking risk and solvency into consideration – Consider the consequences of high-impact events and contingency plans
  • Quality of leadership discussions on risk issues and escalated matters – Are these discussions honest, open and transparent?
  • Is there a risk appetite statement and risk tolerances in decision-making? Do you measure how many risks were taken in the past year? How does this compare with how many were tolerated?
  • Is there alignment and incorporation of risk into strategic planning and direction – Is this aspect handled with care?

Every organisation is different. It is crucial to evaluate the business risk culture and make necessary adjustments to shape it over time in response to internal and external change. 


What should now be clear from the article is that any approach to changing risk culture must be carefully planned within the overall business strategy.

The recipe and mix of tools adopted within a business depend on the current situation. There is no perfect answer to how these elements are combined to address the risk culture and maturity of an organization. Several techniques can drive risk management adoption and embed a great risk culture.

Creating a strong risk culture that encourages honest, open and transparent disclosure of risks is an important starting point. What can be measured can be managed and, in many ways, is the first step in recognizing that risks are real and we need to take this on board. Accountability is critical in ensuring leadership acts upon this information and makes the most of these insights. These approaches can be reinforced by effective performance risk management.

It’s not about being risk-averse. Great risk culture also enables individuals to take suitable risks in an informed manner. However, as seen in the run-up to the financial services crisis of the late noughties, taking inappropriate and unsuitable actions can create immediate and systemic risk.

Finally, communication and training programmes are pivotal in reaching the broader organisation and stakeholders to raise general risk awareness. Clearly defined goals are required for these programmes to ensure they deliver benefits within the overall culture change programme. Goals imply that performance should be tracked over time, hence a move to developing risk culture dashboards.

Business leaders must recognise that changing to a great risk culture requires strong organisational change and risk management skills.

Published by: M.Salman Khan


In today’s dynamic business landscape, risk management has become critical for organizations seeking to navigate uncertainties and protect their interests. While implementing robust risk management frameworks and strategies is essential, organizations often overlook the role of risk culture in effectively managing risks. Risk culture encompasses the attitudes, beliefs, values, and behaviors regarding risk within an organization. A strong risk culture is instrumental in building resilience, enhancing decision-making processes, and ultimately driving sustainable growth. This article explores the significance of risk culture in effective risk management and provides insights into how organizations can cultivate and embed risk culture within their operations. 

Understanding Risk Culture 

Risk culture encompasses the collective mindset and behaviours surrounding risk within an organization. It defines how individuals perceive, assess, and respond to risks at all levels. A positive risk culture fosters a proactive and informed approach to risk management, encouraging employees to take ownership of risks and make sound risk-related decisions. On the other hand, a weak risk culture can lead to complacency, siloed decision-making, and an inadequate response to emerging risks. 

Importance of Risk Culture 
  1. Improved Risk Identification and Assessment: A strong risk culture promotes an environment where risks are actively identified and assessed. Organizations’ Employees are encouraged to raise concerns, report incidents, and contribute to risk assessments. According to a study by the Institute of Risk Management (IRM), organizations with a strong risk culture are more likely to identify and address risks in a timely manner, reducing the likelihood of negative impacts. 
  2. Enhanced Decision-Making: Risk culture influences decision-making processes by embedding risk considerations into everyday operations. When risk is embedded in decision-making, individuals at all levels consider potential risks and rewards before taking action. This leads to more informed, balanced, and resilient decision-making. A study by PwC found that organizations with strong risk cultures were more likely to make informed decisions based on risk-reward trade-offs, increasing their ability to achieve strategic objectives.
  3. Strengthened Risk Appetite and Tolerance: Risk culture plays a pivotal role in establishing an organization’s risk appetite and tolerance levels. A robust risk culture ensures that risk tolerance is clearly defined and communicated throughout the organization, enabling employees to make risk-related decisions aligned with the organization’s risk appetite. A survey conducted by Deloitte revealed that organizations with strong risk cultures were more likely to have well-defined risk appetite statements and effective risk governance structures. 
Cultivating a Strong Risk Culture 
  1. Leadership Commitment: Building a strong risk culture begins with leadership commitment. Leaders must prioritize risk management and actively communicate its importance across the organization. By demonstrating a commitment to risk management, leaders set the tone for the entire organization and create an environment where risk management is embraced as a shared responsibility.
  2. Clear Roles and Responsibilities: Establishing clear roles and responsibilities related to risk management ensures that everyone understands their contribution to the organization’s risk culture. By defining accountability and encouraging cross-functional collaboration, organizations can foster a culture where risk management is integrated into various business functions and decision-making processes.
  3. Training and Awareness Programs: Providing comprehensive training and awareness programs on risk management can equip employees with the necessary knowledge and skills to identify, assess, and respond to risks effectively. These programs should emphasize the importance of risk management, educate employees on best practices, and highlight real-world examples of the impact of risk culture on organizational resilience.
  4. Effective Communication: Open and transparent communication channels are vital for cultivating a strong risk culture. Organizations should establish mechanisms to encourage employees to report risks, incidents, and near-misses without fear of retaliation. Regular communication on risk-related matters, such as sharing lessons learned from past incidents, can also contribute to building a risk-aware culture.

In an increasingly uncertain and complex business environment, organizations need to recognize the critical role of risk culture in effective risk management. Organizations can build resilience, enhance decision-making, and adapt to emerging risks by fostering a positive risk culture. Leadership commitment, clear roles and responsibilities, training programs, and effective communication are key elements in cultivating a strong risk culture. By embedding risk considerations into their organizational DNA, organizations can confidently navigate uncertainties, protecting their interests and driving sustainable growth. 



Economic cycles are nothing modern. Business leaders have constantly had to deal with things like unstable job markets, supply chain confinements, and cost changes. Concerns about a potential period of weak economic growth is however justified. The two most important factors are how long it will last and how much damage it will cause.   

Although no one can see into a crystal ball, there are some concerning signs that should not be ignored. For Nigerian businesses in 2023 for instance, they will continue to cope with several vulnerabilities including:   

  •  A high-cost environment. 
  • Challenges with the retention of talent with the increasing demand for migrant workers in the United Kingdom, Canada, and other developed economies. This is without prejudice to the rising cost of living in the aforementioned countries. 
  • Post-election political risks 

It would be short sighted for business leaders to not prepare for some kind of economic slowdown when you consider this along with the frail global forecasts and the pandemic’s ongoing effects. 

Despite the doom and gloom, businesses can take practical actions to lessen the effects of economic slowdowns. Instead of worrying about potential future events, this is the ideal time to check that your organization has the necessary systems in place to not only weather storms but to thrive in them. How? 

Pay Attention to your Business Relationships

Customer relationships are crucial regardless of the economy’s outlook, but they can become even more crucial during hard times. Understanding how the economy impacts your customers’ businesses is crucial, but it’s also a great chance to figure out how to help them and add even more value. 

Partner relationships can also be very important. Strong partnerships can help to stabilize or even increase revenue streams because they share the burden of acquiring new business, even though this may result in slightly smaller overall revenue pie slices.   

Diversifying your customer base is essential. When the economy is struggling, it’s crucial to evaluate your customer base and determine whether your business is overly dependent on a small number of significant clients. If that’s the case, think about how you can diversify your customer base and invest in forming new connections. Be cautious when adding new customers because you will want to make sure you can still provide excellent customer service. When every business is vying for a small pool of customer dollars, this differentiation becomes particularly crucial.

Motivate your Talent

Taking care of your team should always be a priority, especially when the economy is weak, as we frequently mention here at H. Pierson. When there is talk of a recession or weak growth, employees are concerned about their own finances and layoffs are a real possibility. It’s not simple to find talented, strong candidates, as we’ve seen over the past few years. 

Consider innovative ways to reduce costs without laying off your talent. Rather than making the decision to shrink your team right away, see where else you can cut costs, like overtime or scaling back some nice-to-have, but unnecessary perks? Also, you can offer employees a day off each week in exchange for lower pay? Or can the team collectively agree to a pay cut that ensures everyone keeps their jobs? 

Increase your Firm’s Agility

In order to become more agile, your business may need to invest in itself or increase spending in some areas. In a struggling economy, this may seem counterintuitive, but you might discover that enhancing technological or organizational systems results in longer-term resource utilization. As well as allowing for the introduction of new goods and services, it may also permit the diversification of income sources. 

Any department in your organization could benefit from agility. You can change how you interact with customers and assist them in discovering new value in the goods and services you provide by using agile marketing. Agile development may entail freeing up unused resources to give your team more time and freedom to think creatively and make the best use of their collective talents. Your human resources department’s agility may take the form of job-sharing arrangements to better utilize strengths and tap into your talent pool or cross-training staff to take on new responsibilities. 

We are aware that not all organizations can implement these ideas, and that there are times when difficult choices must be made. Transparency is key in those situations. Be clear about the needs and objectives of the business and try your best to make decisions for your employees with respect and gratitude. Take into account the significance of every position within your company as well as the effects on those left behind when positions are eliminated. Show that you have a plan in place to guarantee a fair and enjoyable working environment, even if the size of the team needs to change. 

When times are tough economically, having the right strategy and the insights required for effective strategy execution, is mission-critical. Reach out at strategy@hpierson.com and let us guide you through a free consultation to determine how your company can best develop a plan to remain strategy-protected both now and into the future. 

H. Pierson Advisory Team


Artificial Intelligence (AI) and machine learning have proven beneficial to businesses across several industries. Artificial intelligence is the ability of computer-controlled robots or digital computers to perform tasks commonly associated with intelligent beings. Machine learning (ML) is a subset of artificial intelligence (AI) that concentrates on building systems that improve performance based on behavioural patterns and data (Oracle, 2022).

The ability of AI to rationalize and take the best possible actions in the direction of a desired goal or expected result(s) is its ideal feature. Artificial intelligence includes expert systems, speech recognition, natural language processing (NLP) and machine vision.

Artificial Intelligence and its Business Process Effects

A report by SEMRush (2021) predicted that the surge of AI usage by businesses would create about $2.9 trillion of business value and over 6.2 billion hours of workers’ productivity, with a high impact of enhancing the overall competence of human workers by 2025. This implies that despite a reduction in the number of the total workforce due to AI, the newer jobs that will be created will produce more wealth for businesses and economies that adapt to it. By deploying AI technology, you can position your processes to:

  • Avoid mistakes prone to human errors
  • Grow expertise through reliance on very accurate analysis
  • increase productivity and operational efficiency
  • Increase revenue by identifying and maximising opportunities
  • Make faster business decisions based on cognitive tools
  • Save time and money by automating and optimizing routine processes
  • Predict customer preferences and offer more personalized options

Artificial Intelligence as a Corporate Advantage

AI is gradually changing the traditional approach to business management. AI and machine learning have substantially helped businesses speed up decision-making. It has helped to mitigate risks, provide better information security, and enabled businesses to offer customised services to their consumers.

Also, AI is distinctively capable of analyzing massive amounts of data for cyber security purposes, as well as more precise, efficient, and effective risk management. Major benefits of applying artificial intelligence to corporate institutions include:

  1. Fraud Detection

Financial institutions like banks and fintech firms, would usually need complex and sophisticated analysis processes to detect potential fraud. Using humans for this task is quite a painstaking task with a very high possibility of errors, which may in turn be very substantial in the chain of effects. As a result, machine technologies have proven to be the best for such rigorous tasks. 


  1. Threat Analysis and Management 

AI technologies are capable of analyzing vast amounts of data and user details from several sources. This allows for real-time prediction models to be created, enabling security teams and risk management experts to promptly anticipate and combat imminent threats.

Furthermore, these tools can be used to develop more improved systems that give early warning signals whilst ensuring that the business runs continuously and smoothly without interruptions due to threats.

  • Data Classification

At the core of AI proficiency is the handling of data, big or small, in a very fast and efficient manner. This is one of the reasons why there are no limits to the businesses that can use AI. These technologies are very good at processing and classifying data based on business patterns and categories. In addition, they can monitor and protect access, thereby ensuring data security.

 Locking into the Future with AI

As technology evolves and digitalization gains relevance in different industries, the adaptation of businesses to AI is imperative to remain competitive, relevant and efficient. AI is not just a perk, but a necessity.

While AI tools have taken the place of manual functions and human duties, businesses should strive to adapt rapidly to new ideas. Even though business goals are of strategic focus, an open mindset should be maintained towards corporate growth and likely areas for skilled talent should be gradually enabled towards the overall adoption of artificial intelligence.




In the past few years, the world, driven by Covid-19, has pivoted in ways most of us could not have predicted. On the back of that, companies are embarking on a series of transformation programmes, particularly to become more digitally mature as well as more sustainable on the triple bottom line of people, planet and profit.

However, doing business in today’s volatile climate is itself a tall order as companies have to juggle a vast network of evolving risks – internal, external and existential – with greater complexity and inter-connectedness than ever before. Managing large-scale transformations during these times will bring further uncertainty and raise the risk levels, but the opportunity to implement long-term sustainable change is one that companies cannot afford to ignore.

Therefore, it is no surprise that there has been a renewed focus on managing risks in the boardroom. In the ICDM 2022 ASEAN Board Trends Survey, we found that ASEAN boards are looking to elevate their oversight capabilities in risk, with the risk management committee (54%) emerging as the top board role requiring improvement in 2022.

From Passive to Proactive

In many organisations, there has been a tendency to deal with risk passively, regarding it as a compliance-oriented matter and conflating risk with finance and audit. This often results in missed opportunities in identifying areas of growth alongside the required levels of oversight to deliver breakthrough performance.

Instead, companies should develop a greater capacity to think of risk as being a proactive way of understanding uncertainty and the factors that can positively impact strategic outcomes. There is also a need to reframe the perception of risk from “something to be avoided” to “something to be explored”. After all, risk is embedded in the organisation’s pursuit of success.


A passive risk culture hinders transformative initiatives as it does not promote either innovation or the environment for new ideas, let alone providing the supportive culture necessary to facilitate an open dialogue on risk and opportunity, which ultimately drives success. A passive risk culture focuses on short-term mitigation plans which are often reactive in nature, rather than more robust, proactive and value-creating risk responses.

Amidst extensive programmes to drive innovation, digitalisation and sustainability, the risk management strategy should be refreshed in tandem with the aspirations for resilience and long-term growth. That means moving away from a controls-oriented risk approach and towards one that is dynamic and forward-looking. A forward-looking risk culture and setting the necessary tone for ensuring the right risk culture is perpetuated and driven by an organisation’s leadership.

While risk culture can be challenging for many organisations it can be defined through ten dimensions across four key areas: acknowledgement, responsiveness, transparency and respect, as outlined in Exhibit 1.

Exhibit 1:

Risk policies, procedures, and systems, regardless of how well-crafted and sophisticated, are only as good as the people responsible for executing them. Their mindsets, practices and behaviours will make or break the risk management strategy.

As part of the boards’ risk oversight duty, it is worthwhile for directors to allocate time and energy to create conditions that engender the desired risk culture. Here are five thoughtful actions boards can take to set the tone for a robust, forward-looking risk culture.

1. Align risk with strategy

Building a strategically focussed, proactive enterprise risk management mindset starting at the top

As the first step to transition from a controls-oriented approach to a proactive enterprise risk management mindset, boards should look at strategy development from the perspective of risk and opportunity management. For example, if a retail company’s vision is to be environmentally sustainable, their strategy development should include a consideration of potential scenarios, threats and opportunities, ranging from stakeholder expectations to regulatory requirements, and from tech disruptions to the environmental, social and governance (ESG) factors. Such an exercise brings greater insight and offers clearer direction. By understanding the gaps, strengths and weaknesses of the company, the board and management can arrive at a strategy that is far more purposeful and impactful and as an enabler in making the desired transformation happen.

Upon settling on a strategy, aligning risk with the execution of the strategy from the outset at the board level also allows companies to explicitly pinpoint the critical risks that would influence outcomes. For instance, if the strategy for the above-mentioned retail company is to digitalise and venture into the e-commerce space, it would have to consider risks in data privacy, cybersecurity, logistics, customer experience, the carbon footprint associated with packaging and delivery, as well as human capital. And let’s not forget the project-related risks associated with the development and implementation of new processes, systems and people needed to deliver the expected outcomes. Greater awareness of these risks increases agility and responsiveness by providing greater foresight in mitigating potential threats and capturing emerging opportunities, thus offering the retail company a smoother market entry and a better chance to get ahead and benefit from the upsides.

In a nutshell, building a proactive risk culture is the very foundation of successfully aligning risk and strategy, which in turn influences behaviours and performance.


2. Find clarity in diversity

Diversity plays a critical role in shaping the board and the organisation’s attitudes towards risk

Humans are at the core of risk oversight and management. Directors’ personal predispositions will influence boardroom discussions on risk. Board diversity, therefore, plays a critical role in forming the board and the organisation’s attitudes towards risk as imbalanced boards are more likely to have a distorted view of risk. Based on our observation, many boards today lack the diversity of thought, experience and skills to perpetuate deep discussions on risk.

Research shows greater board diversity fosters more efficient risk-taking, and organisations with diverse board members invest persistently more in research and development (R&D) and have more efficient innovation processes. This truly emphasises the importance of having a balanced board composition. For example, members with a legal background will have a very different perspective on risk from members who are entrepreneurs or members who used to be diplomats. By coming together, they form a more holistic risk perspective that will give the company a better chance of achieving sustainable performance.

Moreover, risk should not be treated in isolation and nor should it fall on just one director with “risk expertise” to act as the sole stakeholder and authority on risk. It requires diversity of experience, thought and seniority, all contributing their collective wisdom as a board to ensure the culture is cultivated right across all functions, departments, geographies, as well as with stakeholders including joint venture partners and the supply chain (extended enterprise).

3. Adopt networked thinking

Making sense of the growing interconnectedness of risks to build greater risk awareness

In an increasingly interconnected world, risks do not exist in isolation. Like humans, they form interdependent, complex networks. Events and technological advances have often been viewed in isolation when in fact many of the events, changes and innovations taking place elsewhere or in other industries can, and usually do, have an impact on organisations on a more global basis. 

The instant noodles manufacturers in China saw a drastic decline in sales between 2013-2016. Amongst the key unexpected contributors to the drop turned out to be the explosive growth of China’s high-speed railway networks and the rise of instant food delivery. 

Networked thinking provides organisations with an opportunity to develop a broader understanding of how external market forces can impact the business, be it supply chain, resources management or even reputation. Being able to make sense of the interconnected nature of risk forms the baseline for organisational resilience.

4. Empower everyone to take action

Drive risk collaboration by encouraging open communication and risk-informed decision-making across all business units

Creating an environment where conversations on risk are encouraged is an important first step. A risk-aware culture where employees feel safe to speak up and take action will be extremely beneficial in providing early warning and enabling speedy response to crises.

An excellent example can be seen in the oil & gas sector. Employees are encouraged to act if they see or even suspect something hazardous is likely to occur. They do so with the knowledge that there will be no adverse repercussions for taking action even if it means ceasing operations with a loss of production and revenue, despite the pressure to achieve performance targets. 

Contrast this with the practice of days past when taking such action usually resulted in recriminations and retaliation from managers and peers. Interestingly, we saw a far greater number of major incidents and disasters happening when the culture did not support a risk-aware approach and did not empower people to proactively take action to manage risk.

5. Allow room for failures

Making risk less personal and incentivising smart risk-taking to capture growth opportunities across all business units

Executives and managers in large corporations are often discouraged from proposing or advocating for out-of-the-box but risky projects despite knowing that they could be good for the company. This can largely be attributed to fear of jeopardising their careers should the projects fail. Allowing room for failures through a test-and-learn approach can greatly reduce risk aversion amongst the workforce and enhance the company’s ability to capture and successfully exploit growth opportunities.

This requires the board to clearly define the risk appetite and communicate the mindset and behaviours expected in the day-to-day decision-making process. One crucial practice to consider is the use of scenarios, decision trees or other methods to map out likely outcomes – both positive and negative outcomes – bringing greater clarity along with the ability to better track and measure risks and outcomes, before deciding to embark on a project. Even if the project fails, it is not done in vain as companies can derive from it lessons learned that can be applied for future endeavours.

Exhibit 2:

Risk management is a perennial feature in business. However, as the business landscape evolves, the risk management approach must also evolve to meet the growing need for change and adaptability. Having a proactive risk culture to support the risk frameworks and processes will give your transformation initiatives a better chance of success. The impact of the tone from the top cannot be overstated and boards must first exemplify the risk culture they want the organisation to adopt by setting the tone and living the values. But to get there it needs boards to have honest conversations on risk and risk taking.

Does Your Company Have a Proactive Risk Culture?

Culture in an organisation can be defined as “how things get done around here” and risk culture is a subset of organisational culture. Risk culture is about how risk is viewed, dealt with, and how well understood it is. Here is a checklist the board can use to determine the company’s current state of risk culture.

  1. Are the company’s risks aligned with the strategies?
  2. Do we have a clearly defined risk appetite?
  3. How well understood is risk and risk management?
  4. Does everyone understand their role in managing risk?
  5. Is risk embedded in the day-to-day decision-making and execution?
  6. Are our reward structures such that we reward taking action to proactively manage risks?
  7. Does the workplace encourage people to speak up?
  8. Do we have a test-and-learn mindset and room to learn from failure?
Lim, M. K., & Griffiths, G. (2022). Your transformation initiatives might be impeded by a passive risk culture. Malaysia. Retrieved from www.bursamalaysia.com

Find us

35, Glover Road, Ikoyi, Lagos Nigeria.
+234-812-902-3329, +234-802-056-5056, +234-083-263-3999, +234-806-597-4605