SPECIAL

SPECIAL REPORT
REPORT >
>
CLIMATE CHANGE
RISK CULTURE

All focused
on one thing
IN PARTNERSHIP WITH
Proactive risk assessment should be
embedded in every decision made at an
organisation. Your job is to shape the culture
to make risk a company-wide priority.
SPECIAL REPORT > RISK CULTURE

The power to change things

PANEL Our trio of experts share the steps
they’ve taken to create a positive risk
culture and how you can use these to
embed risk into organisation-wide
decision-making. Sara Benwell reports.
O
rganisational risk culture is a powerful
thing. When it is positive, risk analysis
is factored into decisions from the
get-go, boards understand the value of
risk management in achieving business
goals, and everyone is speaking the
same language.
However, when risk culture is poor, bad decisions
are made, risk management is seen as a blockade
rather than a valuable business tool, and companies
rely on static risk tools that don’t allow them to
evaluate opportunities on the horizon.
But how can risk managers influence culture to
create an environment where risk-based decision-
making is the norm?
In September, StrategicRISK held a webinar with
three risk experts to find out.

2 StrategicRISK SPECIAL REPORT EDITION > www.strategic-risk-global.com


BACK TO BASICS
Working at a company like SimplyHealth, where
people want to do the right thing, makes getting risk
culture right easy, said head of risk and financial crime,
Tom Hughes.
However, his experience working in organisations
where risk culture is less defined demonstrated how
sometimes a more radical approach is required.
Hughes explained: “In less mature companies,
we really have to go back to the basics and look at
how we can reset the risk management framework,
and transition hearts and minds so that risks
are understood, actively managed, and the risk
management function is trusted to play an active and
collaborative role.”
He said building relationships is a key part of this,
as is having a well-understood taxonomy of risk. But
he added that workshops with risk simulations linked
back to corporate objectives can be a great way to
break down silos and get people thinking about risk in
the right way.
Claire Hopper, international sales engineer at
Riskonnect, agreed that having a common language
is an important place to start. She said: “I don’t think
a risk manager can be aware of all risks that might
impact an organisation. You need to use people to
get that data in… A good first step is aligning the
terminology. For new employees, think about having a
glossary before you start speaking to people and help
them understand what risk means to you.”
She added that then you can start using the data
you’ve collected to identify key themes and spot
emerging risks. Eventually, you can compare the cost
of incidents with the cost of controls and demonstrate
the influence your allies have had on helping the
organisation meet its objectives.
MONEY TALKS
“THERE WILL Risk culture changes typically start at the top, which
ALWAYS BE usually means you need buy-in from someone on the
board. When it comes to senior managers, money
SOMEONE WHO
talks, and demonstrating how risk management can
IS AGGRESSIVELY
save on insurance premiums is a great way to get
AGAINST ANY their attention.
TYPE OF RISK Alex Sidorenko, group head of risk, insurance and
INTEGRATION… internal audit at Serra Verde, explained: “There will
WHAT REALLY always be someone who is aggressively against any
HELPS IS SAVING type of risk analysis or risk integration… What really
MILLIONS OF helps is saving millions of dollars because once you
DOLLARS BECAUSE do that, it’s a lot easier to sell risk management. This is
ONCE YOU DO THAT, what I usually focus on first. Once you’ve saved a few
IT’S A LOT EASIER million on insurance, the buy-in from the top seems to
be a lot easier.”
TO SELL RISK
Hopper stressed that risk managers must
MANAGEMENT.”
demonstrate the upside of risk, showing how
Group head of risk, analysis and management can help firms to leverage
insurance and internal opportunities. This, she argued, is a great way to build
audit, Serra Verde
Alex Sidorenko allies among senior managers.
She said: “If you start showing risk management
as a money-making exercise, then the board will
be more interested. We don’t see that very often.
Everyone starts with threats, which is fine. But once
www.strategic-risk-global.com < SPECIAL REPORT EDITION StrategicRISK
In partnership with
“IN LESS MATURE
COMPANIES, WE
REALLY HAVE TO
GO BACK TO THE
BASICS AND LOOK
AT HOW WE CAN
RESET THE RISK
MANAGEMENT
FRAMEWORK,
AND TRANSITION
HEARTS AND MINDS
SO THAT RISKS
ARE UNDERSTOOD
AND ACTIVELY
MANAGED.”
Head of risk and financial
crime, SimplyHealth
Tom Hughes
you start identifying those causes in your bow tie
model, you can start thinking about how that could
have a positive influence on your organisation and
meeting business objectives.”
For Hughes, mapping key stakeholders to
understand what their attitudes and risk appetites are
can help you to flex your strategy and bring naysayers
on board. In fact, he argued, it is probably those people
who are most challenging to convince that you need to
build better relationships with.
He said: “There’s a lot of people coming in and
out of a business who come from different risk
cultures, and have different motivations. When
we implemented our GRC solution, we quickly
realised who our stakeholders were by looking at
their attitude towards risk, their history on it, how
busy they are, how technologically adept they are,
and how likely they are to embrace change that we’re
looking to introduce.”
FANCY A PIZZA NIGHT?
When looking to shape risk culture in an organisation,
allies matter. Hopper recommends starting with
teams that already have a good relationship with
risk to get buy-in. She explained: “I do see a lot of
clients starting with the mature areas, such as the
IT team. They’re naturally, whether they know it or
not, mitigating risk all the time. They have a lot of
knowledge to share.”
For Sidorenko, one approach to getting people
engaged has been setting up pizza, beer and table
tennis competitions throughout an organisation –
something he described as his “most successful”
strategy. This allowed the risk team to have informal
conversations with heads of departments, getting to
understand their attitudes to risk outside of the bounds
of formal meetings.
However, he said risk managers must also go
further and endeavour to create an atmosphere where
3
SPECIAL REPORT > RISK CULTURE
risk analysis is inevitable. He explained: “That means
rewriting procurement, investment and budgeting
procedures that basically say you cannot present
something for approval unless it has stress tests or
Monte Carlo simulations. You can’t get that without
doing proper risk analysis.”
Hughes said that within his organisation, risk
management has mandated that every employee has
a risk-based objective in their personal development
plan. While this may sound challenging, he said that
most people are already managing a risk of some sort.
He added: “It could be quality, it could be helping to
achieve a sales target, but when you start pinning that
to the strategic objectives of the business, everything
they’re doing is managing risk. Having a strategic
approach to how you tackle each of those layers is how
we went about [influencing risk culture].”
WHEN IT GOES RIGHT
Hughes said that the ultimate upshot of shaping a
more positive risk culture is that the risk management
team becomes a commercial enabler, rather than a
blocker. He explained: “You’re evaluating the purpose
of an activity, its alignment to the business’s strategic
goals and making it really clear that you’re helping to
remove boulders that could get in the way of success.”
Sidorenko added that in a strong culture,
employees seek out the risk team to ask for
quantification methodologies and support with
risk analysis before making important decisions.
Grading your own work
The benefits of a healthy risk culture may be well-understood, but how can
risk managers establish where their organisation is on the spectrum of good
to bad, and make measurable improvements? Sara Benwell investigates.
E
very organisation has a risk culture of
some sort, whether it’s something the
company has actively shaped or not. Risk
culture is about how employees make
decisions every day of their working lives.
It encompasses behaviours, attitudes and
underlying understanding of risk. As one risk manager
puts it: “It’s how we act when nobody is watching.”
For risk managers, that means that you can’t afford
to hope for the best. Just because you haven’t been
measuring risk culture, it doesn’t mean it’s not there,
and whether it is positive or negative could have
4 StrategicRISK SPECIAL REPORT EDITION > www.strategic-risk-global.com
For example, at a previous company, one team was
engaged enough to raise concerns around a solar
“DON’T PRESUME generation subsidiary.
EVERYBODY Simulations and stress tests showed that the multi-
KNOWS THE billion company was going to go bankrupt in months.
BUSINESS After being made aware of the risk analysis, the CEO
OBJECTIVES OR could speak to the deputy energy minister, which led to
UNDERSTANDS a change in legislation.
WHAT THE RISK Sidorenko said: “The company is still alive and
that was an amazing experience when somebody
TERMINOLOGY
absorbed that culture and was motivated enough to try
IS… SHOW PEOPLE
quantitative risk analysis to support the decision they
THAT THEY DO were making.”
UNDERSTAND RISK Hopper agreed that the benefits of positive risk
MANAGEMENT AND culture are significant, but reminded the audience
THEY’RE ALREADY that this should be a continuous process. She
DOING IT.” concluded: “It’s never one and done when you’re
International sales training somebody. And don’t forget to start from the
engineer, Riskonnect beginning each time, because a year later, there’ll be
Claire Hopper new employees in your organisation and different
environmental impacts affecting you.”
“Don’t presume everybody knows the business
objectives or understands what the risk terminology
is. That’s important, otherwise you will have people
nod and agree when they don’t know what you’re
talking about. Show people that they do understand
risk management and they’re already doing it. Lastly,
don’t forget that people might be shy initially, but it
doesn’t mean that they’re not intelligent or don’t have
valuable information to share.” SR
significant implications for your organisation.
Stefan Gershater, director of risk at Burberry, says;
“‘Risk culture’ just describes the decision-making culture
of a business. I don’t believe there’s a separate thing
called risk culture because, actually, we should all be
making good decisions as quickly as we can, with all the
available evidence. You should be aspiring to that.”
Clive Thompson, technical adviser at the Institute
of Risk Management (IRM) says: “The organisation will
have a risk culture anyway, because it comprises a
group of people who will have their own values, beliefs
and personal attitude to risk.”

The challenge, then, is to understand your existing
culture, which means measuring the prevailing attitude
to risk and to the risk management approach within
your firm.
KNOWING WHERE YOU’RE AT
A major complication is that risk culture is fluid, so risk
managers need to monitor how it changes over time.
When you start trying to influence culture, this allows
you to measure the impact of your strategies.
The IRM suggests four key questions to consider:
• How is leadership driving the organisation in
respect to risk management? Do they set a clear
direction with consistent messaging on the issue of
managing risk?
• How do leaders respond to ‘bad news’? Are the
people who operate the risk framework encouraged
to act in an open and transparent way, or are the
messengers ‘sacked’?
• How is the governance of risk applied? Are
accountabilities for managing risk aligned with
accountabilities for key business decisions? Are
people allowed to ‘get away with it’ if success follows,
even though controls may have been breached?
• How transparent is the communication
around risk management? Is timely information
communicated widely and in an easily understood
In partnership with
and meaningful format? Are examples of appropriate
risk taking widely shared?
Matt Handley, chief risk officer at Handelsbanken,
says audit processes are a key gauge of organisational
culture. “When risk culture is good, the governance
is there to challenge and bring problems to fruition.
Nothing’s hidden away. In a poor risk culture, you find
that governance was just a box-ticking exercise.”
Another indicator is how forward-looking your
organisational decision-making is. Part of risk culture
is a company’s collective awareness of the need to
proactively prepare for future threats and opportunities.
Maya Wellig, head of global risk management
at Sunstar, explains: “Organisations are faced with
increasing levels of complexity, with shocks and crises
appearing stronger and faster than ever before. Rather
than waiting for adverse events to happen and having
to firefight when they do – utilising funds and resources
that are elsewhere engaged, and risking losses and
turmoil – organisations need to put in place robust
mechanisms of preparedness.”
Kerry Balenthiran, operations vice-president, group
manager, business risk consulting (EMEA & Asia Pacific)
at FM Global, adds: “It is too easy to cut corners when it
comes to dealing with risk, and it often goes unnoticed
in the short term.”
“People tend to be optimistic and underestimate the
likelihood of something going wrong, until it is staring
them in the face. Therefore, cultivating a robust risk
culture often isn’t a priority until something breaks. In
the worst case, this could lead to significant business
disruption, highlighting the importance of protecting
today to help drive prosperity tomorrow.”
MOVING THE NEEDLE
Once you’ve evaluated your organisation’s current
“CULTIVATING approach to risk-based decision-making, the next step
A ROBUST RISK is positively shaping it to promote better outcomes.
CULTURE OFTEN For Balenthiran, this starts from the top. “Having
ISN’T A PRIORITY risk management as a standing item for discussion by
UNTIL SOMETHING senior management, or a separate risk management
BREAKS… THIS committee that reports to the board, is a great way to
COULD LEAD TO set a positive and proactive tone,” he says.
SIGNIFICANT “A risk framework needs to become part of the
operational processes of all parts of the business.
BUSINESS
Manufacturing and service functions have this already
DISRUPTION, to ensure quality and customer satisfaction, but it
HIGHLIGHTING needs to include supply chain, marketing and facilities,
THE IMPORTANCE and be broader than just quality. The organisation’s
OF PROTECTING values need to reflect… what is and isn’t permissible in
TODAY TO HELP the pursuit of the organisation’s goals.”
DRIVE PROSPERITY One way to convince boards that they need to
TOMORROW.” engage in proactive risk management is to track and
disclose events that impacted results in recent years.
Operations vice-president,
business risk consulting This quantified approach has successfully improved
(EMEA & Asia Pacific), risk culture at Sunstar. Wellig explains: “Sunstar’s risk
FM Global function has spent much time putting together such
Kerry Balenthiran tracking lists – which include various adverse events
from quality issues to failed investments, fraud cases, HR
incidents, cyber-attacks and so on – and quantifying the
losses that had incurred. Very often, when management
www.strategic-risk-global.com < SPECIAL REPORT EDITION StrategicRISK 5
SPECIAL REPORT > RISK CULTURE

– of all levels – is faced with these lists as well as with the
actual monetary damage that they caused, it brings to
life the need for proactive risk management.”
“Sunstar’s risk function works closely with the
business to not only identify risks, but also to mitigate
them, via action-oriented workshops that it runs
across the company, and by getting involved in cross-
organisational risk mitigation activities. This allows
the risk culture to trickle through the organisation and
creates an environment of trust and collaboration.”
At Handelsbanken, one key driver of culture
is the way the company thinks about reward and
remuneration. When onboarding new candidates,
significant time is spent talking about whether they are
culturally aligned and have the same risk appetite or
tolerance as the business.
Handley says: “We don’t pay bonuses. That drives
a longer-term view and a little bit more commitment
and ownership around the way the bank is operating
and behaving… Everybody has risk-based objectives,
because we want people to think about the risk that
they are taking in their job and the risks that they are
“WE DON’T PAY helping the bank to manage or reduce.”
BONUSES. THAT
DRIVES A LONGER- DECISION SUPPORT
TERM VIEW AND A He says that to achieve this, risk managers need strong
LITTLE BIT MORE allies, particularly in the HR department and the C-suite.
COMMITMENT Gershater agrees that having a strong network of
AND OWNERSHIP allies is critical, adding that it’s important to include
AROUND THE strategists, financial planners and the operations team,
so you can use risk as a tool for value creation. To
WAY THE BANK IS
achieve this, risk managers must focus on the positives.
OPERATING AND
He concludes: “You have to take risks, because
BEHAVING.” you can’t create value out of thin air. It’s about taking
Chief risk officer, risk more knowingly and if you manage to do that by
Handelsbanken tying the risks to objectives and by showing how risk is
Matt Handley
supporting value creation as well as value protection,
then you move into the realm of decision support.
You’re still looking at threats, but you’re showing how
you can grow the business as well as protect it.” SR

Eyes and
ears open
EXPERT VIEW Riskonnect’s
Claire Hopper has advice on
how to build a culture where
everyone incorporates
risk considerations into
everything they do – making
sure they are always looking,
listening and mitigating for
potential problems.

M
any organisations are putting risk
management front and centre for
all employees, not just those with
‘risk’ in their title.
That’s because they realise how
important it is to be agile and to
quickly identify emerging threats and take corrective
actions before they can escalate.

6 StrategicRISK SPECIAL REPORT EDITION > www.strategic-risk-global.com

 In partnership with

CASE IN POINT: CREATING A RISK-AWARE CULTURE

A large food-distribution organisation noticed an upward trend in the frequency and severity of workers’ compensation
and liability claims. Here’s how it reduced incidents by educating and financially motivating employees to recognise
potential risks.

Numbers for key safety metrics –
accidents per million miles (AMM)
and recordable case rates (RCR) –
were higher than its competitors’. In
addition to immediate concerns over
employee well-being, the high volume
of claims was straining financials.
Management wanted to instil a
safety-oriented culture to reduce the
risk of injuries and lower the number
of claims. The goal was to reduce
AMM and RCR by 20%. The company
wanted to emphasise that:
• Everyone can make a difference.
• All employees need to be aware of
the risks.
• Reducing incidents and claim
volume is in everyone’s best
interest.
The company used scorecards to
create a ranking showing how each
operating unit performed across 17 risk
and safety categories, including AMM,
RCR, required training compliance and
root-cause completion percentage.
This encouraged a cultural change
in two ways: Overall scores were
shared across the organisation,
which motivated each unit to improve,
and there was a clear financial
incentive as bonuses were tied to
achieving goals.
Now, locations eagerly await
the quarterly ranking report, and
improving safety scores is a point
of pride. Employees understand the
value of fixing a problem – and how
their actions can make a difference.

Culture weaves risk management into the everyday

routine of employees. With more eyes and ears on
the lookout for risks, a company is much less likely to
be blindsided – and that’s a significant competitive
advantage. Here are seven steps to make risk a part of
every decision at your organisation:
5 ASSIGN RESPONSIBILITY
Identify the individual who is most closely
connected to each risk and hold that person
accountable. When responsibilities are clear, there’s
less of a chance something will fall through the cracks.

1 EDUCATE
Equip employees with knowledge. Explain the
benefits of risk management, how to spot issues,
how to assess potential impact, and how to mitigate
threats. Show employees that reducing risk is in
everyone’s best interests.
6 ESTABLISH INCENTIVES
Baking risk management expectations into
performance plans gets people thinking about how they
can correct issues. Offer spot bonuses to employees who
identify risks and come up with a solution. Tie annual “HAVE A CLEAR,
bonuses to achieving risk-related goals. WELL-DEFINED
PROCESS FOR

2 COMMUNICATE
Have a clear, well-defined process for reporting
7 LEVERAGE TECHNOLOGY
Technology can gather all risk-related data from
claims, internal audit, safety and third parties into one
REPORTING RISKS.
GUIDELINES MUST
BE SPECIFIC,
risks. Guidelines must be specific, direct and go location. This increases transparency and elevates the DIRECT AND GO
beyond ‘if you see something, say something’. Create visibility of risk. Point values can be given to each KPI BEYOND ‘IF YOU
forms with prepopulated fields to make it easy and totalled for an overall risk score, which business-
SEE SOMETHING,
to navigate the process and collect all necessary unit leaders can then use to review progress and
SAY SOMETHING’.”
information while it’s still fresh. suggest follow-up actions.
International sales

3 GET TOP-LEVEL BUY-IN

If the senior leaders of an organisation are visibly
making risk-conscious decisions, others will follow.
NOT BUILT IN A DAY
Positive risk culture protects the customer, brand
and bottom line. When everyone from the CEO to
engineer, Riskonnect
Claire Hopper

In the chaos of a crisis, it might be tempting to cut a
few ethical corners for the sake of speed, but leaders
who refuse to compromise integrity set a great
example for others.
new interns are aware of the risk inherent in every
decision, potential issues can be addressed in advance.
Unexpected issues are less likely to occur, and when
they do, the impact tends to be less severe.
A great risk culture is not something that can be

4 BREAK DOWN SILOS

Establish a risk committee that includes
stakeholders from multiple departments. Centralise
risk information, standardise data and show the
relationships between threats. Establish a common
risk language and facilitate productive conversations to
identify and address vulnerabilities.
built in a single all-staff email or all-hands meeting.
It takes time to educate people, spark dialogue and
instil a belief that everyone has the power to make
a difference. SR
Claire Hopper is international sales engineer at
Riskonnect.

www.strategic-risk-global.com < SPECIAL REPORT EDITION StrategicRISK 7

SPECIAL REPORT > RISK CULTURE

Rescued from the

pitfalls of success
An India-based SME experienced growing
pains as demand for its products swelled.
IRM’s Hersh Shah talks us through the
rescue plan: a formalised approach to risk
and a risk culture built on accountability
and communication.

T
he company in question was an SME
based in India with turnover in the
region of $150m, specialising in
producing handicrafts and home
decor items. Established in 2008,
“A FORMAL
the firm exports products to Europe,
North America and other Asian countries.
RISK APPETITE
With an increasing global demand for its STATEMENT WAS
products, the company was facing operational, ROLLED OUT TO
branding, financial, and market-related risks. ENSURE THAT
There was no formal risk management system in ANY DECISION
place, leading to financial losses and missed BEYOND A CERTAIN
opportunities. VALUE WOULD BE
Furthermore, the absence of a risk culture made ESCALATED TO
it difficult for employees to identify, communicate AN INDEPENDENT
or mitigate threats in real time. This was leaving COMMITTEE.”
loyal employees feeling demotivated.
Hersh Shah, CEO, Institute of Risk Management CEO, Institute of
Risk Management –
(IRM) – India Affiliate, explains how the organisation India Affiliate
engaged a risk consulting firm and executed the Hersh Shah
following five-stage approach.

RISK BRAINSTORMING:
IDENTIFICATION & ASSESSMENT
Workshops were conducted for all levels of
employees to help them identify potential risks
in their respective areas, something known as
‘risk brainstorming’, a common technique in
risk identification.
“A risk committee was then formed, comprising
members from different departments, to review
and prioritise risks based on likelihood and
impact. This is also to make sure decisions are
not biased and there is enough focus on reality,”
says Shah.
STRATEGISE: DEVELOPING
MITIGATION PLANS
After the necessary reviews and analysis, for each
high-priority risk, a mitigation strategy was devised
depending on an agreed matrix. For example, using
a 4x4 matrix as the organisation “didn’t want fence
sitters,” says Shah.
One new development from this process was that
when it came to addressing currency fluctuation risks
– a major concern for exporters – the company started
entering into forward contracts.

8 StrategicRISK SPECIAL REPORT EDITION > www.strategic-risk-global.com

 In partnership with

says Shah. “For instance, the procurement team

started assessing vendor reliability and geopolitical
risks before finalising contracts.”

ACCOUNTABILITY AND EMPOWERMENT:

WORKING ON RISK CULTURE
Realising that its new approach to risk must move
beyond processes and documentation, the company
further focused on its risk culture. Regular training
sessions were introduced, emphasising the importance
of risk management, including nominating some
employees for IRM’s global ERM exams, says Shah.
Employees were encouraged to communicate risks
freely and a reward system was introduced for those
who identified significant threats.
“THE NEW RISK
CULTURE MEANT
EMPLOYEES
FELT MORE TECHNOLOGY: DEVELOPING
INVOLVED AND SUPPORTING SYSTEMS
ACCOUNTABLE, Finally, this approach to risk also needed to
LEADING TO be underpinned by supporting technology. “A
IMPROVED digital dashboard was developed to monitor
MORALE AND key risk indicators, providing real-time data to
PERFORMANCE.” decision-makers. Feedback loops ensured that any
risk incidents were recorded and analysed for future
CEO, Institute of Risk prevention. Risk incentives were initiated to ensure
Management
Hersh Shah
people report risk events.”

HAPPY PEOPLE, HAPPY BALANCE SHEET

There were four major outcomes and improvements
the organisation experienced as part of its new approach:
• Financial stability
• Improved decision-making
• Employee engagement
• Increased competitiveness

“By hedging against currency fluctuations and

IN REAL TIME: EMBEDDING RISK
MANAGEMENT IN OPERATIONS
With the planning process completed and the
organisation having undertaken a thorough review of
its current approach, it could move onto the practical
application of its new view of risk.
“Processes and standard operating procedures
were revamped to include risk checkpoints and a
formal risk appetite statement was rolled out to
ensure that any decision beyond a certain value
would be escalated to an independent committee,”
securing reliable vendors, the company saw a
marked decrease in unexpected costs,” says
Shah. “And with a clear understanding of risks,
the management made better-informed choices
regarding new markets, product innovations and
partnerships.”
“The new risk culture meant employees felt
more involved and accountable, leading to improved
morale and performance. The organisation also
started gaining an edge over competitors as it
could manoeuvre market uncertainties better
and offer more consistent service and product
quality,” he says.
Shah believes embedding a risk culture and
structured risk management approach proved
invaluable for the organisation.
“It not only stabilised their operations but
also positioned the company for sustainable
growth in a competitive market. This case study
illustrates the importance of proactive risk
management, especially for SMEs aiming for
global outreach.” SR

www.strategic-risk-global.com < SPECIAL REPORT EDITION StrategicRISK 9

One cloud platform to manage risk
and compliance across your
organisation and global supply chain.

RMIS

ESG
Compliance
Project Risk Management

Business Continuity & Resilience ERM

TPRM

Claims Admin

Policy Management

Health & Safety

Internal Audit

1.770.790.4700 | SALES@RISKONNECT.COM | WWW.RISKONNECT.COM