If a business or organisation is to effectively manage the risks facing it, it has to create and entrench a risk culture.
A risk culture has to start from the top and transcend every dimension, area and facet of a business or organisation. It must include all employees and extend to the customers and suppliers of the business or organisation.
A risk culture starts at the front gate or front door, it includes interactions with customers and suppliers, it is part of recruitment and the terms and conditions of employment, it forms part of job descriptions, it is part of employee induction and training, it is part of the code of conduct, it forms an integral part of all IT systems and their usage, it involves a specific focus on safety and security and the minimising of risk in every business process.
An inappropriate risk culture can result from certain individuals-often the business owners or senior office bearers, or certain areas undertaking or conducting themselves in a way which is condoned or overlooked notwithstanding laid down procedures. These activities inevitably result in damage to the business’s reputation and financial losses.
By developing a proactive risk culture, management has time to develop a strategic approach to potential future risk. While a risk culture will not eliminate all the risks facing a business our organisation, it will:
- Help Identify the bigger risks facing the organisation or business
- Enable an assessment of the potential impact of these risks
- Enable the management of these risks by proactive programs, so that the impact is greatly reduced.
- Ensure better timed and informed decision making
With technology forming an ever increasing part of business and operations, it is essential that you have robust IT controls and disciplines in your business, and that IT security and cyber-crime need to form a core strategic focus and an integral part of your risk management focus and culture.
A business has to have a risk policy as well as best risk practices and controls that cover all areas of its operations, but these also have to be practical, implementable and effective.
A good place to start is to adopt an introspective approach to your business or organisation and to do a self assessment of your risk culture and risk attitude. This involves asking yourself objective questions about your business, your industry, your broader business environment, your own operational capabilities or limitations, general risk awareness and the behaviour of your staff. In this way you will be able to identify the risk culture prevailing in the business or organisation.
Risk management is a process and not an event. An effective risk management program requires an organisation wide acceptance of the importance of a risk management culture. A risk culture should be integrated into almost every aspect of the organisation or business, starting with HR processes.
Risk appetite and the ability to absorb losses vary from business to business and from one organisation to another. As potential risk and losses are very hard to quantify, many businesses will not have the capital base or funding to carry a loss and continue as a going concern.