A giant planet killing asteroid helps. Short of that, perhaps losing millions of your customers over a data breach incident. Actually, neither of those will create a truly risk aware culture. When the risk probability is 100%, your people will tend to focus on that one risk and ignore those with lower probabilities. So the next risk to get you will be the one that you are not focused on.
Risk aware culture is the objective du jour of executives and their consultants today. I’m not sure why anyone wants one — frankly it sounds like it could be paralyzing. One of my skippers in the submarine service was so risk aware that he hung up an embroidered plaque from his wife in the wardroom that spelled out “Don’t Screw Up” in signal flags. When you have the clear signal from the top to not screw up, and you are in an inherently risky business, it leads people at lower levels to do a lot of little cover-ups. Risk wariness at the top leads to a loss of transparency, and that in turn increases risks.
A risk culture can be paralyzing too. That’s what I thought when I read that a big bank is firing some of its top customers just because they’ve worked for a foreign government. Foreign to whom? If you’re an international bank, are there any foreigners, really? It seems that the compliance department at the bank has decided that the best way to ensure that they can comply with the U.S. Foreign Corrupt Practices Act is to get rid of customers. No doubt they had some consultants point out to them that 80% of their risks came from 20% of their customers. So you can just lop off that 20%. But guess what, after you do that, you’ll still have 80% of your risk coming from 20% of your customers — where do you stop?
Despite that skipper, most of the lessons I learned from submarines about risk management are really good ones. I learned that you can take some really hairy risks if your crew is well trained, you’re open with what the risks are, and you’re communicating well. And you don’t take those extraordinary risks every day — if you do that, you’ll die. No one can stay at an extraordinary level of risk awareness for long.
And something else I learned long after my submarine duty — you can’t really change the culture. What you can do is understand your company’s culture, understand the risks, and find ways that fit your culture that enable your company to take risks in a responsible way and get the job done.