Creating a risk-aware culture: ERM experts share their advice
Behind every successful risk program is action — or, rather, the millions upon millions of micro actions that take place across an organization in the course of a day, week or month.
These micro actions form culture. When all the parts align, it’s a beautiful thing.
But how do you make this happen as companies get bigger, businesses grow more complex, and governance, risk and compliance (GRC) intersects with so many parts of an organization?
In a recent discussion at Diligent’s ERM Virtual Summit, I asked a panel of ERM experts for their advice. They brought a deep and varied array of perspectives, as you can imagine from their impressive resumes:
- Amy Sandgrund-Fisher is General Counsel and Chief Human Resources Officer at the Clinton Foundation in New York City. She’s also worked as an in-house attorney for startups, tech companies, pharma, a law firm and many others.
- James Bone created the ERM programs for Fidelity and Columbia University, has advised public and private organizations, published several books on the topic and is still a practicing risk researcher.
- MK Palmore is a former U.S. Marine, a retired FBI executive and special agent, a longtime cybersecurity practitioner, and today serves as director in Google Cloud's Office of the CISO.
Highlights from our wide-ranging discussion follow.
Setting the tone
Examples can be extremely powerful when it comes to shaping culture. I saw this in action in a prior role years ago when I was negotiating an agreement that was getting contentious. At the 11th hour, opposing counsel asked me a question, and I knew if I answered honestly, that answer would kill the deal.
But I took a breath and spoke the truth, and I’m glad I did. Several years later, a junior lawyer approached me and told me that how I handled that situation was a professional lesson in ethics for her.
Our experts shared the opinion that actions speak loudly in terms of building a risk-aware culture. But whose actions? And how?
“The culture of the organization is a living, breathing thing, and it’s really driven by how the executives show up day in and day out and exercise their responsibilities,” Palmore explained.
He emphasized how the actions of those at the top set the tone for the rest of the organization — for example, audit committees on the board periodically reviewing risks associated with operations, and executives making hard decisions about accepting and transferring these risks.
But Bone argued that “tone at the top” is “a very nebulous concept.”
Beyond just the executives and the board, he said, risk culture needs to be embedded into every part of how you do business, including the goals, the structure and how behaviors are rewarded. Are people doing the things you want them to do? Are they being proactive about addressing risk and are they solving problems?
“If all people do is bring problems to senior executives, that’s not the right risk culture,” Bone emphasized. Your team also must feel empowered to solve those problems.
“It has to come from the leadership, but it also has to come from the bottom up,” Sandgrund-Fisher remarked. “I think it's really about if you've got everyone kind of lockstep in terms of the types of risks they want to be taking, the types of risks they want to be looking at more closely, or even the risks they might want to consider backing away from.”
Spreading the wealth
“No one single team should carry the brunt of the responsibility to get this thing done,” Palmore declared. In addition, he continued, “If risk is all housed in one team and that team is making all the decisions, it’s easy for someone at a distance to simply ignore it.”
He instead recommended “spreading the wealth” through collaborative decision-making and empowerment.
“Make the necessary business units participate in the risk process. Enable them, especially at the leadership level, to make decisions about whether or not they are willing to actually accept the risk, or whether or not they’re going to implement controls and things to mitigate the potential impact of that risk,” he advised.
“You want to give people the responsibility and freedom to make changes, to report, to do all of the things we’ve been talking about, and be really intentional about that at the outset.”
Sandgrund-Fisher noted the importance of “a community and an environment where folks not only are aware of what the process is, but it’s very clear who to report things to or what the opportunities are for reporting.”
Trust and a safe environment
A risk-aware culture is about attitudes and expectations as well as policies and procedures, according to Sandgrund-Fisher. “Empower employees to feel comfortable stepping forward if they see something that doesn't feel right,” she said. “Create an environment where reporting is something that is expected and valued and celebrated.”
She shared the story of a simple, seemingly small tool that made a big impact in terms of empowerment at the Clinton Foundation: an anonymous email box.
“It has really, I think, allowed employees to bring not just risks, but all kinds of concerns to senior management's attention,” she reflected.
“We work really hard to address most of those on an all-staff call in front of the whole organization,” she said. “I think it's also really created an environment where folks are actually willing to step forward when they're not anonymous.”
Palmore echoed the importance of a safe environment in an organization’s culture and enterprise risk management. “Giving folks the freedom or the space to feel comfortable in bringing items and issues to the awareness of management and leadership, I think, creates an environment where addressing those issues then becomes much easier,” he said.
“A little bit of psychology is involved in this, right?” Bone noted. Because people are not comfortable talking about risk. And senior executives don't like to talk about risk because it's a reflection on them. So, you have to have conversations in an environment where people can build trust over time.”
For more expert insights into how your organization can build a more effective ERM strategy, watch all four Diligent ERM Virtual Summit sessions on demand.
