Risks are faced by every organisation, regardless of industry, size, location or regulatory environment. Every organisation faces a unique set of challenges and risk exposure. Therefore, no risk management framework can be one size fits all. Embedding a culture of risk awareness requires an understanding of risk management principles across all organisational functions and roles.
Risk management is the process of identifying, evaluating, and controlling both threats and opportunities that could potentially disrupt an organisation’s operations. These threats and opportunities, or ‘risks’, can take many forms – operational, financial, reputational, or strategic – and are inherent in every business decision and activity. But why is it important to gain buy-in from employees when thinking about risk management?
The Role of Employees in Risk Management
Every employee, from executives to operational staff, contributes to the overall longevity of an organisation. Risk management is more effective when it isn’t confined purely to the risk and audit teams. By understanding and anticipating risks, employees help strengthen the organisation’s risk management system, ensuring resilience and agility in the face of adversity. Also, getting varied and diverse inputs into the risk management process typically means it’s more thorough, considering different viewpoints and a broader understanding of the potential impact of risk events on different organisational processes, activities, and stakeholders.
Cultivating a risk-aware culture equips organisations to handle uncertainty. Employees who understand the importance of risk management are better prepared to reduce risks, protect resources, and safeguard the organisation’s reputation.
Proactive Decision-Making
The whole-of-organisation involvement in risk management promotes better decision-making. When everyone contributes to the identification and mitigation of risk, it can lead to better informed, strategic choices. Incorporating risk assessments into daily operations can help protect the organisation from financial loss, boost efficiency, and build confidence in achieving objectives. These of course don’t always need to be large or complicated processes with lots of documentation – organisations often see great success when risk-based decision-making is integrated into the normal ways of working. It’s part of, not separate from.
Employees may bring unique perspectives that can shape strategic decisions, influencing new product development, market entry, or resource allocation. Their insights can help contribute to the organisation’s growth and long-term success.
Aligning personal and organisational risk appetite
Risk appetite is the likelihood of taking, pursuing, or avoiding certain risks. Organisations have it (and might even have it formally articulated in a Risk Appetite Statement (RAS)), and we all have our own personal risk appetite too. Our risk appetite is informed by our experiences and will change over time; exposure to certain events will often make us much more cautious about that event in the future (e.g., if you’re involved in a car accident, you’re likely to be much more cautious when you next get behind the wheel), and organisations are the same. They may think they’re bulletproof until a particular event is realised.
We’ve seen plenty of examples of this recently, particularly around cyber. An organisation might decide that it’s comfortable with its current risk exposure, or maybe even think, “Well, we haven’t had a cyber attack yet, so maybe we don’t need the level of control that we currently have”. This can be a dangerous mindset that breeds complacency. If management decides to lessen controls for certain risks that haven’t been realised, they may find that because of this reduction, the risk event is then realised. Making sure that management is properly informed of their risk profile and appropriately challenged to understand their real risk appetite can help organisations and risk professionals to have more meaningful conversations about risks, and why particular controls are critical.
To give a real-world example, a few years ago I was working with a large organisation that was struggling to align their organisational risk appetite with that of their workers. They worked in a high-risk industry that is known to have high health and safety incident rates. Management knew and understood this, and so had promoted messages around working safely and minimising risks, with a RAS that clearly stated no tolerance for unnecessary WHS risks. Despite this, they were finding higher incident rates than their targets, and their initiatives around improving their controls and reducing risks didn’t seem to be working. We found that, while the RAS clearly articulated management’s expectations, workers who were exposed to the risks every day had a vastly different risk appetite and perception of the risks involved.
The workers were surrounded by the hazards every day, and so over time, they had normalised the risk environment and become accustomed to the risk exposure, which resulted in some complacency and a higher appetite for risk to “get the job done”. The organisation’s risk matrix also wasn’t aligned with management’s RAS, and they required senior management to sign off on any risks which were assessed as being high or above. Their risk matrix was designed in such a way that over 50% of the possible risk level outcomes were high or above, and so many workers would intentionally under-assess the risks or tweak the risk assessment outcome to get a result that was medium or below, meaning that it didn’t have to go through to senior management for approval.
This misalignment between personal and organisational risk appetites and supporting risk processes meant people intentionally circumvented proper processes, culminating in several severe risk events being realised in quick succession. These had huge implications for the organisation, its people, and other stakeholders. By reviewing and understanding the real risk appetite of its people, designing risk management processes that aligned with this, and effective support, engagement, and empowerment from management, the organisation was able to change people’s perceptions around risk and promote a more risk-aware culture.
Risk Management Strategies for Employees
Employees are often the first to spot potential risks. A strong, risk-aware culture empowers them to identify potential issues, understand reporting processes, and confidently communicate their concerns. Open communication channels and a culture of risk awareness further support effective risk management. Employees who are aware of risks, their obligations, and risk management processes contribute to the organisation’s long-term success by ensuring proactive risk mitigation and compliance.
Get Started with Risk Management Training
Understanding the fundamental principles of risk management helps build a culture of risk awareness within an organisation. Risk Training Professionals offers up-to-date training, led by experienced industry practitioners, to give you the confidence to manage organisational risks effectively.
Our 2-day, virtually-delivered Risk Management Fundamentals course breaks down core principles of risk management and governance, guided by ISO 31000:2018. We present risk management in a pragmatic and actionable way, offering practical tools, knowledge sharing, and real-world case studies—so you’ll leave with skills you can immediately apply in your organisation.
We also explore key concepts related to effective risk management, including frameworks, assessment tools, assurance and stakeholder management. We build upon risk management fundamentals that underpin the success of any risk management framework within sustainable organisations.
This course is ideal for those new to risk management, as a refresher for professionals in similar roles, or for management now responsible for business risk.
Enrol today and invest in your organisation’s future success.
