Creating a company-wide culture that is attuned to corporate risks—especially the ones that an individual employee is likely to face on a regular basis—is a common theme in compliance discussions.
Programs need to be risk-based, but creating policies only goes so far if employees don’t understand the key risks and why they need to be avoided. And to take it a step farther, employees need to factor in risk awareness as part of their job responsibilities.
As Chris Caron, Compliance Director at Kiewit, found, actively engaging employees in mitigating the risks they face every day not only cuts down on adverse risk effects, but also gives the organization a better understanding of real-life risks and their likelihood. (Learn more about Chris’ experiences in this webinar about taking a risk-based approach to compliance.)
Download the Whitepaper: Creating a Risk-Conscious Culture
But how do you actually create that company-wide eye toward risk? Chris moved in this direction by making project managers responsible for filling out a risk matrix for their own projects (after all, who would understand the risks and likelihood better than the project managers) and by adjusting the company-wide risk measurement scale to better reflect the organization’s risks.
If you feel like you’re starting from the beginning and need a more basic way to spread a risk-aware culture don’t worry, we’ve laid out some clear steps for you to take.
Agree on a Vision
It may seem simple, but if you’re starting from scratch when ingraining risk throughout your organization you need to make sure all the key players are on board before you begin spreading the message. Discuss what you’re trying to accomplish, what the key metrics are, how you’re going to go about instituting a cultural mind-shift—everything you’d do when making any other major business decision.
Here are a few common goals typically discussed and defined during this phase. Once identified, these should be communicated to the rest of the organization.
- Common purpose — Individual employee values should align with organizational values and approach toward risk.
- Consistency — The entire organization should share the same risk vocabulary so that risks are universally and consistently evaluated and understood.
- Understanding — Individuals are aware of critical risks facing the company, understand the macro benefits of risk management and are aware of how their behavior impacts the organization
Assess Your Risk Culture & Create a Roadmap
Now that you have the vision for your risk-aware culture define, it’s time to see how it matches up with the current state of your company. Risk assessment is a two-part process:
- Look for alignment.
The first step is to look at your current risk management process to determine what you are and aren’t doing already.
- Do you have a documented risk appetite?
- How is risk currently being logged, monitored and managed?
- Do front-line managers play a role in risk monitoring and mitigation?
- Does the company use a single risk measurement matrix with a common language?
- Company-wide benchmark.
Conduct a company-wide culture survey. If you have a large organization it may be tempting to survey a representative sample of the company… resist this urge. You want to spread a risk-conscious culture to your entire organization, not a sample of your organization. Taking the pulse of the entire organization may be more difficult and time-consuming, but it will give you a much better understanding of your beginning benchmark in terms of company attitude toward risk.
Once you’ve assessed the current state of the company’s risk awareness you can cross reference that with your agreed upon vision and create a roadmap for tackling this project.
Tone at the Top
Once you have your roadmap planned out, the most logical place to start implementing this new company-wide attitude is a the top. Tone at the top is extremely important to any compliance program, so this has the added benefit of bringing your board of directors and the executive team more in line with federal expectations for compliance programs and oversight.
If your board is already compliance-focused, great! Still, go to the top and explain your project and make sure everyone from the chairman of the audit committee to the C-suite fully understands and embraces any new language and methods or approaches you’re taking so that they’re in line with what employees will be hearing.
Organization culture is truly top down. Everyone needs to be on board if you want effective risk management and strong culture. Making sure that top-level management is using the same messaging and approach that you’ll be promoting will help solidify the message and give weight to its importance.
If you’re still having trouble getting the top to buy into the message of risk-based compliance, keep working on it! But in the meantime, move down to your mid-level and front-line managers. Sometimes tone at the middle can have more impact and is easier to achieve.
Education & Training
When rolling this new aspect of your compliance program out to the entire company there are a few key things to keep in mind that will help increase buy-in and understanding.
- Take the time to explain the idea behind this initiative.
Compliance can often be seen a just a bunch of pointless policies and procedures and a team of police looking for wrongdoers. Taking the time to explain why a company-wide commitment to risk management is important and how not mitigating risks can negatively affect both the organization and the individual employee will make people much more willing to follow the rules and do the extra work you’re asking of them.
- Tailor training programs to each department.
Focus on the risks this particular set of employees is most likely to face and the processes and procedures they’re expected to follow. Buying canned training packages is easier, but less effective in this situation. The risks you’re talking about are specific to your organization and will be different based on which department you’re talking to. Training is far more effective—and likely to be listened to—if you talk specifically about the things that will affect this employee in her or his daily job.
- Allow for questions, even after training.
Ensure your compliance program has an easy way for employees to safely and confidently ask questions or seek clarification, and communicate this method during training. Whether it’s a feature in your compliance software or a regularly checked email inbox, making sure employees know that they can get help in a non-threatening (and timely) manner is key to encouraging continued buy-in and dedication from your workforce. This “ask a question” feature should not be the same as your compliance hotline, which can often come across as intimidating and denotes wrong-doing.
Following these steps will help get you on your way to creating a company-wide risk-aware company culture, which in turn will go a long way to helping you accurately identify, monitor and manage the unique risks your organization faces.
These tips were taken from the eBook, Creating a Risk-Conscious Culture. Read the full eBook for even more insights.