This may mean rethinking your organization’s approach to risk and adopting an intelligent risk culture, meaning you’re no longer simply trying to improve existing risk management systems, or quantifying cybersecurity risks, or selecting measures to mitigate risk. Rather, an intelligent risk culture demonstrates that you’re also paying attention to poor behaviors or misaligned norms and tackling them head on—which lays the groundwork for healthy risk behaviors that enable cybersecurity resilience and effective operational risk management.
What Do We Mean by ‘Risk Culture’?
Risk culture is typically defined as the values and beliefs about risk management that all employees share. This common understanding springs from an organization’s values, risk processes, perceptions about risk-taking, and knowledge and awareness of organizational risks. And that starts at the top.
In fact, a poor tone from the top is one of the most common factors underlying fraud schemes—even those perpetrated by an organization’s owner or executive leaders. It takes only one senior employee, executive or influential employee, to stifle open and candid conversations, whether through intentional bullying or soft-spoken influence.
Quashing a healthy dialogue that would otherwise support a robust risk culture not only increases your exposure to fraud and other risks but can also result in compliance issues, fines and material weaknesses if the organization runs afoul of regulatory requirements.
Gaps and misalignment can put your organization in jeopardy.
In one case, an organization’s legal counsel was missing critical information about the role of whistleblowers in identifying risks, which led to weaknesses in the company’s whistleblower complaint process.
The SEC requires whistleblower hotlines to be accessible via public company websites to facilitate reporting by employees as well as customers, vendors, and other stakeholders. But during discussions about the company’s process, the counsel indicated that they needed only to allow whistleblower complaints from employees to facilitate the reporting of items that may pertain to accounting fraud.
The general counsel may not have known that fraud and inappropriate activities are most often identified by tip. And although it’s true that employees typically provide more than half the tips related to fraud (Association of Certified Fraud Examiners), the rest come from outside sources, including customers, vendors, and anonymous or other tipsters. (The total adds up to more than 100% because some frauds were reported through multiple channels.)
Uncovering Hidden Risk Bias
Be aware of the dangers that can lurk, undetected, beneath the surface of your day-to-day experience. Because what you don’t know can hurt you.
Cybersecurity and operational risk biases exist within every organization to some degree—likely including yours. This undermines defense- and response-readiness, operational maturity and, ultimately, your operational and cybersecurity risk posture.
In this context, cognitive bias is defined as “biases that are a systemic error in reasoning that leads to failures in producing appropriate and adequate security decisions.” And, thanks to our inherently optimistic nature, we expose ourselves (and the companies we work for) to cybersecurity threats because we tend to underestimate threats that may enable risky behavior.
For example, when an employee receives an email constructed as click-bait, otherwise known as a phishing attack designed to infect our laptop and devices, we don’t necessarily treat it with the suspicion it deserves. Far too often, employees click links or download files without thinking about the potential for ransomware or malicious attachments. Why? Most often it’s due to cyber risk bias or a lack of a perceived threat.
On a larger scale, we see cybersecurity and operational risk biases at the programmatic and enterprise levels for identifying, treating, tracking and managing risks.
In one case, we identified a risk associated with a client’s lack of conformity with an explicit regulatory mandate. But when we brought it to the attention of stakeholders and their leadership, the process owner with responsibility for adhering to the mandate minimized the finding, adamantly dismissed the non-compliance, and failed to acknowledge that it presented a risk.
It was unclear why an individual with a management role would choose to diminish a major requirement, especially since the organization was required to demonstrate its due diligence and document compliance on its website. But whatever the reason, this reaction stunted further open dialogue about the potential risks and curtailed consensus among stakeholders on how best to remediate or manage those risks.
Adopting an intelligent risk culture can help you avoid this type of risk scenario. And the first step is looking beneath the surface to identify hidden biases.
Recalibrating Risk Management to Reduce Bias
To establish an intelligent risk culture, you need a clear understanding of your organization’s current climate and behaviors. To ensure honest feedback, organizations typically engage a third-party to perform an anonymous risk culture assessment. This anonymity is critical, because otherwise, how can you be certain what behaviors and perceptions are lurking in your organization or with key influencers across a department?
Insights from this type of third-party assessment provide executive leaders and front-line managers with vital information about unhealthy risk behaviors and their potential impacts. This enables them to address risky behaviors with a top-down and bottom-up approach—and begin improving their company’s risk culture by making changes to corporate values, risk management processes, criteria for risk-thresholds and/or risk awareness.
An honest risk culture assessment also makes it possible to recalibrate perceptions you might otherwise overlook or diminish. By avoiding subjective or flawed assumptions that propagate biased behaviors, you’re in a better position to diffuse subjective or emotional responses. Coupled with embedding stronger and continuous data-driven decisions and organizational transparency in processes and methods, this pivot can be a game-changer.
Use data to zero in on risk culture indicators.
Encouraging the accurate and timely collection of information leads to stronger risk-informed awareness—and enables better risk management decision-making. Transparent, data-driven processes and methodologies can help you further identify and mitigate biases by breaking down risk culture indicators, including:
- Change management of risk perceptions, behaviors and resolution
- Proactiveness to report risk issues
- Stakeholder responsiveness to risk identification
- Risk ownership
- Ability and willingness to remediate risk issues
- Accountability for performance of risk management
Strong risk cultures take root when employees at all levels routinely take a risk-based approach for every new initiative, anticipating risks at the start of the project management lifecycle. Most often, this includes performing a risk assessment or reviewing audit report results of operational controls that have been tested.
An intelligent risk culture makes it safe to openly acknowledge risk and proactively challenge decisions, which encourages discussion and learning from risk failures and solutions. This philosophy supports an open, results-oriented approach: “If we see risk, we will identify it, scope it and—even if it’s bad, we will establish a plan to manage it.”
Cultivating Cybersecurity and Operational Risk Management
The best organizational cultures proactively seek information about—and insight into—risk, by making it everyone’s responsibility to flag potential issues. Also, clearly defining the expected control of risk functions across the organization helps to shape the strategy, policies and values about risk clearly and consistently.
As a leader, you should consider formally including the risk function when planning and vetting business decisions and when establishing risk guidelines as well as first-line roles, responsibilities and accountability for employees. Ideally, this includes “tone at the top” communications, coaching and mentoring as well as openness to lessons learned and continuous improvement through post-project reviews.
Discussing and addressing risk facilitates development of an organization-wide culture that values the proactive challenge of decisions, thereby encouraging discussion and learning from risk failures.
Implementing an ‘Effective Risk Culture’
Your organization’s risk culture can be customized based up on your business model, risk thresholds and appetite, and governance structure. We’ve boiled it down to four critical success factors for creating a an intelligent risk culture.
1. Tone from the Top
Senior executives demonstrate the philosophies, actions and behaviors they expect of employees. They also define the organization’s risk appetite and the performance measures to ensure risk thresholds are not exceeded and demonstrate a willingness to listen and consider inputs from all stakeholders.
2. Accountability and Responsibility
Senior executives, in conjunction with the board, recognize their roles and responsibilities in risk management. While boards should not take a direct role in managing risks, they can fulfill their risk oversight responsibilities through discussion of the organization’s risk management approach and posture.
3. Encouragement of Risk-Raising and Reporting
The most successful organizations place a premium on risk management—and see better growth and increased profit margins as a result.2 This includes encouraging all employees to raise and report risks to facilitate prioritization and successful mitigation or resolution. They also develop an understanding of how risks interconnect and impact the business.
4. Constructive Communications and Challenging Conversations
Organizations with hotlines detect fraud and cybersecurity risks more quickly (12 months vs. 18 months) and experience only half the losses as those without hotlines. When the culture encourages employee awareness and communication, organizations are better positioned to identify and mitigate operational and cybersecurity risks.
Start building an intelligent risk culture today.
In today’s risk environment, your organization can’t afford to focus only on improving existing risk management systems or mitigating risk. It pays to focus on digging deeper in your organization’s non-compliance. The best place to start is with a risk culture assessment, and we’re ready to help.
1 Cybersecurity Ventures 2022 Cybersecurity Almanac, sponsored by Cisco
2 How risk management leads to increased profit margins: Companies that put a premium on risk management can cope with ever-increasing business risks while seizing opportunities that present themselves, by Thor Olavsrud, Senior Writer CIO, April 16, 2015