How to Embed Risk Awareness in Corporate Culture

Home / FREE RESOURCES / Articles / How to Embed Risk Awareness in Corporate Culture

This is the full text of a talk first given at Richmod Event’s 2013 Risk and Security Forum, Zurich. It’s a long article (3,703 words) and expands on talks that I’d previously given on risk management. It includes links to source articles which are well worth investigating.

It is now five years on from the financial meltdown caused by a catastrophic failure of risk management in the financial services sector. The resulting recession has caused Eurozone countries in particular to slash spending savagely in order to reduce their debts and restore growth.   We are all still paying the price, in terms of reduced economic activity, higher unemployment, reduced return on savings and investments and higher prices.

The current economic environment offers today’s leaders a stark choice: Adapt or die. This phrase may be seen as clichéd, but it was never more relevant than it is today. For the organisation of today is surrounded by a number of significant challenges, including:

  • Dealing with natural disasters
  • The economic slowdown
  • The growth of cybercrime
  • The battle to attract and retain talented people
  • The impact of government regulation
  • The continuing impact of the Internet on businesses
  • Competition from more agile competitors, both domestically and from the rest of the world.

Any one of these challenges would be difficult to overcome at the best of times. Taken together these make for as tough a fight as you are likely to see in your entire career. Each of these areas represents specific risks to the organisation that have to be managed.

Why Improved Risk Awareness Is Vital

The causes of the meltdown are many but two things stand out:

  1. That over reliance on risk management models, systems and tools – which were used by many but understood by a very few – set the stage for the meltdown;
  2. That human behaviour, driven by financial incentives and rewards, was in large part responsible for the recklessness that triggered it.

So how has the failure of financial risk management affected the way people perceive project risk management?

  • Did it result in a declaration that risk management doesn’t work and a decision to ditch the disciplines of the last few decades?
  • Did it result in the determination that “lessons must be learnt”, that more must be done to manage risk in projects?
  • Or did nothing significant happen at all?

Thankfully, the first of these three scenarios did not come to pass. Unfortunately neither did the second.

The damage caused by the financial sector should have led to an increased appreciation of the benefits of proactively managing risk. However I don’t believe that it has and I know that I’m not alone in that opinion. If the view in 2004 was that risk management was “seldom effectively applied”[i], the view almost a decade later doesn’t appear to be that much different.

It is true that there is now an increased focus on risk management in the organisation as an enabler of long term growth and profitability[ii]. Investment in risk management is rising and is expected to rise even higher. However it is still the case that, within organisations of all kinds, the tremendous value to be realised through the use of risk management in projects is lost. This loss is not just limited to the budget lost to those projects which fail to deliver. It is also:

  • The lost profits or savings that these projects were intended to deliver;
  • The loss of market share caused by the non-delivery of new products, services or change in organisational capability;
  • The reputational damage that can result from the failure to take appropriate action.

Investment in tools and technology is welcome, but won’t really make much of an impact. It hasn’t and it won’t. Significant strides in the use of risk management will only come through the development of a risk culture across the entire organisation, so that risk is no longer seen as the preserve of a select few within the organisation, but an enabling capability that provides value to everyone in it.

Why a change in culture is needed

Culture can be defined as the values, behaviours, concepts and tools of a particular group. It follows then that corporate culture is the collection of values, beliefs, behaviours and concepts of an organisation or corporation. One of the key factors that led to the moral and financial bankruptcy of some in the banking sector is the toxic culture of the organisation, which leads not just to excessive risk-taking, but to behaviours which actually do harm to the organisation.

A recent report by the Association of Certified Chartered Accountants (ACCA) written in the aftermath of the 2008 collapse was quite clear on this. It said:

“In any analysis of the risks that bring down organisations, or come close to it, the root cause is usually identified as something to do with corporate culture”

The role of the CEO and the Board in culture change

The board, led by the Chief Executive Officer (CEO), has the greatest impact on the culture of the organisation because:

  • It’s the Board that decides the level of risk that it wants the organisation to adopt
  • It’s the Board that decides the organisation’s goals, activities and priorities
  • It’s the Board that determines, through the use of financial and other incentives, which behaviours to reward and through this determines the behaviours of everyone else in the organisation.

The CEO is ultimately responsible for risk management in the organisation. In the majority of small to medium sized companies they have day-to-day responsibility for risk management. In larger companies this role is increasingly being performed by a Chief Risk Officer (CRO), who reports to the CEO. However few organisations are good at generating a strong risk-aware culture.[iii]

If we are to have a more risk aware culture then the role of the Board must be to promote the values and behaviours that are vital to a more risk-aware culture and to eradicate those that are no longer wanted. They can do that through the creation of a vision for the organisation, through the use of incentives and through investment in risk management skills training.

Creating the Vision

The first and most important thing that the Board can do is to create a vision for a more risk aware organisation. This vision needs to be simple, it needs to be clear and it needs to be communicated to everyone in the organisation so they can understand the Board’s vision and translate it into everyday actions that they can take in their own work. This vision must include the level of risk appetite that the organisation is willing to take, as this is a feature of the organisation’s culture.

The role of incentives – you get what you pay for

The Board needs not just to set the vision; it must also support the realisation of that vision by supporting changes to the culture. So the second thing that the Board must do to change the culture is to change the role of incentives and rewards. It doesn’t take much to see that incentives skew an otherwise level playing field or set of choices. In financial services commission based selling has led to products and services being sold to people for whom these products were not just sub-optimal, they were actually dangerous. In banking, bonuses resulted in huge risks to the organisation, but these risks were pursued because of the benefits to the individual; bonuses encouraged the very behaviours that were detrimental to the organisation and its customers. In fact, in most cases they were “likely to lead to mis-selling”[iv]. Over the past 20 years incentives in the financial sector made things more risky, rather than less. The problem was that no-one wanted to change course even where dangers to the organisation were apparent. People often didn’t understand their own risk models and drew false assurance from them.

Now it’s different. Now it is time to change course. We have an excellent opportunity to use incentives to drive the development of a risk aware organisation for the benefit of the organisation as a whole. What the Board needs to do is to align benefits with improvements in risk management, so that people get rewarded for taking actions that reduce the negative effects of risk and exploit positive risks or opportunities.

The need to invest in cultural change

The third thing that the Board needs to do is to demonstrate that they back the change to a more risk aware culture by investing in skills training and by allowing the company the time to make the transition. Investing in skills training pays dividends; companies that invest in their people tend to have a higher return than those that don’t[v]. However, in a down market it is common for companies to slash investment in people. So the courageous Board needs to do what other companies won’t do. They need to invest in training, coaching and mentoring to embed the risk management skills that are vital to their future. Nothing demonstrates that the Board is backing the change to the company’s culture like an investment in people. The Board must invest in training to upgrade peoples’ skills and at the same time explain the importance that becoming more risk aware will play in transforming the organisation’s fortunes. Training in risk management will also provide the common risk management concepts, language and tools that make it easier for people across the company to communicate and collaborate.

One final challenge for the Board is to close the gap between what they see as their key priorities for risk management and what they are doing about it. When asked about the most important qualities in instilling a risk culture, the number one item was strong leadership[vi]. Boards need to demonstrate it.

The CRO’s role – To drive the exploitation of skills and experience

If it is the role of the Board to make the creation of a more risk aware culture a corporate objective, then it is the role of the CRO, the risk function and those involved at the governance level to drive forward the change in values and behaviours into the project community and to secure the benefits that improved risk awareness should be delivering. To do that the CRO and those involved in the governance of projects needs to do three things:

  • Ensure effective governance of projects and programmes, so that projects and programme receive appropriate direction and so that the Board receives appropriate and timely information
  • Ensure compliance with risk management processes, so that projects are no longer able to avoid the effective management of threats and opportunities
  • Rollout mandatory risk management training, so that everyone in the organisation acquires the skills of managing risks.

Not more governance, just better governance

First, effective governance. It never ceases to amaze me that project after project gets into serious trouble, particularly having been under the direction of a Project Board or other group of executive stakeholders. Often these projects have been running for a very long time. Then I read the results of a report on the management of troubled projects[vii] which found that just 20% of executive stakeholders provided the sort of close, ongoing supervison and timely intervention needed by complex projects. The rest either:

  • Didn’t get involved until something was too difficult for the project manager to resolve (45%)
  • Didn’t get involved until the project was already in serious trouble (28%)
  • Didn’t get involved at all (7%).

This can’t be allowed to go on any longer. CROs need to call out stakeholders who fail to provide adequate governance. To do that they need the power to stop projects that aren’t in governance or are being poorly directed.

Compliance isn’t optional any more

Second, compliance with the risk management process. The risk function must ensure that all areas of the organisation, including projects and programmes, are part of their enterprise risk management (ERM) process. We’re still seeing examples where failed projects are causing loss to the organisation because risk is not factored into decision making. Project risks are still managed within silos and we have to break these down. If these projects were brought within the scope of ERM the risks and the actions to manage them would be much more visible.

The solution to this is to enforce the use of corporate risk management tools and processes, instead of individual and point solutions. A lot of money is already invested in processes and tools and investment in this area is rising. However I’d argue that investment has gone into tools and into the central risk function at the expense of investments in people and performance. The tools are already there, but they are not used uniformly, allowing high failure rates. Improved training and coaching will provide the skills that are needed by the organisation; the role of enforcement is to identify those areas where sanctions need to be applied, to improve the tools and systems and to perfect the process.

Time to try training

Third, mandatory risk training. Increased investment in risk management training will drive increased use of the existing tools and make better use of limited funding. This will drive improvements in communication and feedback channels. This in turn will provide the Board with better information about risks so that they can incorporate risk into decision making. Training will also provide the common language, artefacts and behaviours that are required for cultural change.

There has probably never been a better time to do this because Boards are actively trying to improve risk management. They are under pressure from the impact of government regulation, the activism of institutional shareholders and the anger of ordinary taxpayers who have paid the price in the past for poor risk management; all of these forces are shaping the future risk landscape.

This training has to be mandatory and it has to be delivered at all levels, with no back-sliding, opt-outs or deferring “until a more convenient time”. That time will never come.

I was asked to organise the rollout of training for a new change management framework for a client. One of the biggest challenges that we faced was in getting the more senior members of the project community to attend the training. They were either too busy to attend or accepted invitations then failed to show up on the day. Although each one had a good reason for not attending, the collective message that this sent out to the organisation as a whole and especially to the people on their teams was that this training was not important. That sort of attitude is pure poison to a company that wants to change.

It’s the refusal to accept this behaviour that is a key part of driving cultural change. By all means use whatever form of friendly persuasion you feel you need, but don’t stop there. As we recommended to our executive sponsor if people turned down too many chances to become part of the new way of doing things there should be a parting of the ways.

Cultural change at the project level

So the CRO and those involved in project governance need to become more accountable for project direction, enforce compliance and roll out risk training across the enterprise. What can they do to support cultural change at the project level? They can support the embedding of new behaviours through facilitation, coaching and mentoring.

Using coaching to power performance and productivity

The benefits of training are typically high but short lived. If the skills acquired through training are not actively used then they wither and die. It’s as true for risk training as any other. This is where coaching comes in.

The role of coaching in this context is to improve workplace performance by supporting the use of risk management skills until they become second nature and part of the set of tools used by everyone in the organisation.

Training combined with coaching delivers long-lasting improvements. Where training can add 20% or more to productivity, training plus coaching can boost this productivity improvement to almost 90%[viii]. These improvements are not just limited to the increased use of the skills being trained. The other benefits of coaching include:

  • Improvements to productivity
  • Improvements in creativity
  • Improvements in working relationships
  • Improvement in job satisfaction

What would a 90% improvement in risk management do for your company?

Mentoring the next generation of risk managers

The next area where the risk function can add impact is to stimulate the use of mentoring in the organisation to transfer the skills, knowledge and experience from risk management subject matter experts to the organisation as a whole, or from one generation to the other. If the aim of coaching is to improve peoples’ performance and through that their ability to meet and exceed objectives, then the role of mentoring is to pass on experience.

Some people use the terms coaching and mentoring in the same context, as if they are the same thing. I’d make a distinction between the two. There are several key differences between coaching and mentoring, including:

  • The seniority of the mentor in relation to the mentee
  • The level of subject matter expertise
  • The level and nature of feedback
  • The length of the mentoring relationship

There is one overriding reason for recommending mentoring to support the long-term cultural change needed to embed a more risk aware culture. That is to develop the next generation of risk managers and leaders in the organisation. By mentoring the next generation of risk managers we can:

  • Reinforce the benefits that comes from risk management
  • Provide insights, lessons and advice in a way that isn’t open in a coach / coachee relationship
  • Help the mentee to assimilate knowledge and experience.

Over time the ability to impart knowledge helps to prepare the mentee for the challenges of the future. It also allows the mentor to share the stories of success and of failure that must become part of the story of the organisation itself. These are the stories that can help to highlight the values and behaviours that are vital to the creation of the new corporate culture. You need to lay these stories down like sediment over the old war stories that are no longer relevant, unhelpful or even harmful to the company’s new vision. Over time these new stories will solidify and become part of the bedrock of the new culture.

So, who gets to be mentor and who needs mentoring most?

If we are to transform a company from top to bottom then it is necessary for mentoring relationships to exist at all levels of the organisation. There’s no need to start at the top: in fact there may be very good arguments for not starting at the top this time around. It may be better starting with your best subject matter experts and advocates for risk management so that you diffuse their skills to influence a wider range of people in the organisation.     If we do not develop their skills now, they won’t be able to utilise them when needed.

Mentoring can be either formal or informal, but can only really work where the mentor has the right kinds of skills to pass on, those that are in line with the risk management culture we are seeking to create. They also can only work where the mentees are receptive to being mentored; you can’t truly mentor someone who doesn’t want to be mentored. Your choice is to decide whether those who do not want to be mentored have a future in the organisation, or whether they are better off elsewhere.


Although training can provide the specific risk management skills and tools needed by the organisation, there is a risk that by the time a new project gets underway many of the requirements, scope and schedule risks have already been missed. One way to deal with these specific risks, while at the same time putting projects on the right path, is to use facilitated project workshops.

The goal of facilitation is to make things easier. The role of a facilitator in project workshops is to:

  • Bring the key participants in the project together so that they get a common understanding of the project
  • Develop a clear vision and goal for the project which can be used to drive the development of plans, budgets and risks
  • Identify the key workstreams, deliverables, dependencies and milestones.

The workshops themselves are very effective at eliciting key information needed by the project manager to produce detailed plans. They also provide a reality check for the whole team by allowing them to get a better understanding of the total project than they would have working alone. Finally they allow the team to start the team formation process by getting to know each other and by getting the team to work together.

Having spent much of the past year facilitating projects of various kinds and sizes right up to major programmes for a client in the financial services sector, I can say that not only do they work, but that I wish that I had had someone facilitate some of mine in the past. I’d definitely recommend facilitated project workshops to any organisation looking to improve its handling of risk, provided that:

  • They are mandatory. When we first introduced the new project framework we asked projects to complete an initiation workshop but didn’t insist on facilitated workshops. Within a few months we could see a clear difference in outcomes between those that used a facilitator and those that didn’t. We then pushed for mandatory use of a facilitator. Compliance with the new processes rose directly as a result.
  • They are facilitated by someone outside the project team. Many of the initial project workshops were led by the project managers. They felt that, as they were experienced, they didn’t need a facilitator. One of the benefits of having an external facilitator is that the project manager becomes a participator in their own workshops so can contribute more than they might otherwise do if they are leading the workshop. By having a facilitator lead the event it also encourages others to speak out in ways that they might not if the project manager was in charge. Finally, by using an external facilitator it’s easier to ensure that the quality of the facilitation stays high.
  • The facilitators are not people actively managing projects. A former client of mine wanted to use their more senior project and programme managers as facilitators. They found that they struggled to get them trained because many of them were too busy working on their projects to attend the training. Later, once they were trained, they then found that they were too busy to spend the time needed to prepare and run the workshops. As a result we had a backlog of projects that were waiting for a facilitator to become available, or they went ahead and held the workshops with the project manager acting as the facilitator, which affects the quality of the outcome. Instead, get experienced trainers, department heads, and team leaders trained as facilitators.

Over a period of six months we found that over 80% of attendees at facilitated workshops had their expectations met or exceeded. They said the things that worked best in the workshops were:

  • The facilitator. We found significant differences in outcome where facilitators were not used and where they were.
  • Understanding the big picture, being able to see the whole project and not just their small part of it; understanding how the project fit into the company’s objectives and why it was needed
  • The card planning exercise used to capture the essential details of the project – some people came just for that exercise alone because they knew that within the space of one day they would have a clear understanding of their role
  • Knowing what the timeline was – this was a key result for some who attended, especially those department heads who had lots of competing priorities
  • Understanding the risks, issues assumptions and dependencies. This was an essential outcome for many, who were able to get a more rounded view of what was needed to deliver the project.


This has been the longest recession in approaching one hundred years, but it won’t last forever. Growth will return but the next five years will see a changed business landscape. The organisations that will adapt best to the environment will be those which have accepted that the toxic, greed driven past is over, that improvements in risk won’t just come from technology and have taken the greatest strides towards a more risk aware culture.

[i] British Computing Society (2003): “The Challenges of Complex I.T. Projects: The report of a working group from The Royal Academy of Engineering and the British Computer Society”


[ii] Accenture (2011): “Report on the Accenture 2011 Global Risk Management Study”

[iii] Zurich (2011): “Risk Management In A Time Of Global Uncertainty

[iv] Financial Services Authority (2012): “Risk To Consumers From Incentive Schemes

[v] International Personnel Management Association

[vi] The Economist Intelligence Unit (2009): “Beyond Box-ticking: A New Era For Risk Governance

[vii] Economist Intelligence Unit (2010): “How Mature Financial Firms Deal With Troubled Projects

[viii] The Manchester Review (2001): “Maximising The Impact Of Executive Coaching: Behavioural Change, Organizational Outcomes and Return On Investment