Gartner Blog Network

How to Get a Risk Aware Culture and Do It Today

by French Caldwell  |  May 8, 2014  |  3 Comments

Photo: Planet Killing Asteroid - Los Alamos National Laboratory

Photo: Planet Killing Asteroid – Los Alamos National Laboratory

A giant planet killing asteroid helps.  Short of that, perhaps losing millions of your customers over a data breach incident.  Actually, neither of those will create a truly risk aware culture.  When the risk probability is 100%, your people will tend to focus on that one risk and ignore those with lower probabilities.  So the next risk to get you will be the one that you are not focused on.

Risk aware culture is the objective du jour of executives and their consultants today.  I’m not sure why anyone wants one — frankly it sounds like it could be paralyzing.  One of my skippers in the submarine service was so risk aware that he hung up an embroidered plaque from his wife in the wardroom that spelled out “Don’t Screw Up” in signal flags.  When you have the clear signal from the top to not screw up, and you are in an inherently risky business, it leads people at lower levels to do a lot of little cover-ups.  Risk wariness at the top leads to a loss of transparency, and that in turn increases risks.

A risk culture can be paralyzing too.  That’s what I thought when I read that a big bank is firing some of its top customers just because they’ve worked for a foreign government.  Foreign to whom?  If you’re an international bank, are there any foreigners, really?  It seems that the compliance department at the bank has decided that the best way to ensure that they can comply with the U.S. Foreign Corrupt Practices Act is to get rid of customers.  No doubt they had some consultants point out to them that 80% of their risks came from 20% of their customers.  So you can just lop off that 20%.  But guess what, after you do that, you’ll still have 80% of your risk coming from 20% of your customers — where do you stop?

Despite that skipper, most of the lessons I learned from submarines about risk management are really good ones.  I learned that you can take some really hairy risks if your crew is well trained, you’re open with what the risks are, and you’re communicating well.  And you don’t take those extraordinary risks every day — if you do that, you’ll die.  No one can stay at an extraordinary level of risk awareness for long.

And something else I learned long after my submarine duty — you can’t really change the culture.  What you can do is understand your company’s culture, understand the risks, and find ways that fit your culture that enable your company to take risks in a responsible way and get the job done.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: risk-management  transparency  

Tags: culture  culture-change  risk  risk-management  

French Caldwell
VP and Gartner Fellow
15 years at Gartner
19 years IT industry

French Caldwell is a vice president and Gartner Fellow in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio

Thoughts on How to Get a Risk Aware Culture and Do It Today

  1. Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

    Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

    The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.