Does Your Organization Have a Risk-Aware or Risk-Blame Culture?

Veronica Rose
Author: Veronica N. Rose, CISA, CDPSE - Board Director at ISACA Foundation and Digital Trust Professional
Date Published: 29 July 2021

I recently read a blog post by Mark Thomas, President of Escoute Consulting, titled “Leverage COBIT and ITIL for Customer-Centric, Connected and Collaborative Organizations.” One of the tips he alerted organizations to watch out for is the silent killer of any framework adoption initiative within the organization: culture.

I thought to myself, wouldn’t we do better if we were aware of the type of environments we are in and then begin on the journey to transformation?

So, having referenced Mark’s view on framework adoption, how then do we ensure a risk-aware culture in our respective organizations?

In this blog post, I would like to share with you some of the scenarios to recognize if we are instead in blame culture organizations when it comes to risk management:

  1. Lack of senior management involvement in risk management activities
  2. Having a “to whom it may concern” attitude toward risk management
  3. Misaligning of actual risk appetite and policies
  4. Letting unethical behaviors contributing to control deficiencies go unpunished
  5. Not establishing accountability (this is evident when staff avoid taking responsibility/risk ownership) and play blame games when it comes to solving problems arising within the organization)
  6. Discouraging open discussion on risk and other pain points of the organization
  7. Over-controlling or micromanaging staff, which hinders innovative ways of responding to and mitigating risk accordingly 
  8. Not training staff and other stakeholders on the required procedures and policies for a successful enterprise risk management framework

What you can do to improve on this culture: 

  • Awareness is key to transformation; recognize the state of your risk culture that exists in your organization and use a dynamic risk awareness procedure to maintain a higher level of risk awareness.
  • Position your risk in the context of the enterprise mission, strategy and objectives.
  • Ensure your risk policy is updated regularly and communicated to all stakeholders.
  • Determine if your risks are within the organization’s risk tolerance levels and ensure acceptable levels of risk are understood and maintained.
  • Encourage open reporting and discussion of risk within the organization.
  • Establish accountability on risk management and controls that will address the exact risks. 
  • Different contexts require different solutions – avoid being an agile risk copycat because your risk landscape is unique, and your business environment, risk mitigation strategy, stakeholders, organizational structure, industry regulators, culture, and practices also are unique. Your risk management process should be tailored for your organization.
  • Partner with or involve your third-party service providers with your risk management strategy. When you involve vendors in your risk management process, they will be indispensable in helping you manage your risks.
  • Ensure acceptable levels of risk are understood and maintained.
  • Promote a flexible risk management framework for smoother adoption.
  • Prioritize the risk response options.
  • Most important but often ignored is the tone should always be set from the top. Some industries require the board of directors to be accountable in prioritizing risk response in the organization. Gain stakeholder support through continuous engagement, leadership visibility and transparency. 

The benefits of a risk-aware culture|
Risk is part of every organization’s operation, and the I&T landscape is always evolving. Effective risk management doesn’t function in a vacuum and rarely survives a leadership failure. When we develop a risk-aware culture, this practice will encourage collective or combined risk assurance efforts, and hence a great approach to an incredible risk-aware culture.