7th February 2019
By Elizabeth Meza Rodríguez, editor for El Empresario and Management.
Companies are exposed to risks, both operational ones and natural disasters. Some risks in economic and financial crises, political issues, market trends and operational management can be avoided, but to do so requires a risk culture to be implemented throughout the organization.
This means a risk culture involves the both the Director or the CEO and the Operations Manager, as well as each of the employees to assimilate it as a routine activity that is a part of the company’s DNA.
An existing risk management culture helps the company to identify threats, tackle obstacles that may arise, increase the chances of achieving goals, lower employee turnover, engage employees, foster proactivity, and improve the company’s adjustment to the social and economic environment.
However, it isn’t enough to merely desire to establish a culture of risk management, it’s necessary to set out a policy and drive to get all workers involved. This starts with appointing a Risk Director or Chief Risk Officer (CRO), who will be the person in charge of creating this culture and transmitting it to the rest of the organization.
According to Price Waterhouse Coopers, there are three lines of defence: the first is made up of senior management and business units, the second of risk and compliance functions (including the CRO) and committees, and the third entails internal audit.
Although the Risk Director is the second line, he is obligated to interact with the first and third lines of defence.
One way to rapid dissemination and implementation of the risk culture is to set the parameters from the first line in collaboration with the Risk Director and then roll the strategy out to other areas, so as to create a pyramid that encompasses each one of the collaborators. This way an organization with greater resilience and risk culture is created.
In other words, the first line makes decisions in keeping with the strategy, while the second line shapes the measures to be taken, based on queries, consultations, and collaboration. The third line focuses on protecting the organization and creating value.
However, according to PWC data, only 13% of companies worldwide involve the front-liners or senior management in risk management.
Risk management in cybersecurity
With technological progress, more and more companies are looking to support their risk management models with technology for better decision-making, for greater control, and to allow them to act in advance of a problem.
Cyberattacks have become a threat that worries companies; an issue that has been escalated by massive attacks like WannaCry that affected over 200,000 computers in 150 countries in 2017.
A risk culture also implicates cybernetics, here it is necessary to define specific lines of action in three areas: the first is using a methodology aligned with the operation strategy, the second is flexible plans, and the third consists of having a line of communication with the groups.
Each of the risk management lines must be aligned with the company’s values, goals and objectives. This way it becomes easier for employees to be ready for any possible problem the organization faces.
Although it is hard to predict risks 100%, there are tools that help the organization to create strategies enabling it to overcome threats:
- Identify the risks, weaknesses and consequences that may arise in the company
- Assess the hazards by the level of impact or incidence
- Conduct an analysis of possible risks and establish how to mitigate them, to find out the company’s real exposure
- Design preventive and corrective measures.
How to achieve a risk management culture
- Establish a solid organizational environment focused on the risk culture and on the administrative boards to starts right from the management board and the CEO and take hold throughout the organization
- Align risk management with the strategy at decision-making time, so that the first line anticipates business risks when setting tactical priorities
- Balance the program over the three lines of defence so decision-making takes place throughout the organization
- Develop risk reports that allow management and the board of directors to execute supervision.