Every risk manager we have interviewed explained to us that periodic risk culture evaluations help strengthen it. So, we wanted to give readers some practical ideas around it.

There are multiple models which can be used to assess the current state of risk culture, including the risk culture framework developed by the Institute of Risk Management, UK or the risk maturity model developed by G31000 that covers elements of risk culture. Whatever the model risk managers select, they should make sure it is aligned with the ISO 31000:2018 principles.  

When reviewing risk management culture, risk managers should, among other things, look at:

• 
  
• Whether accountabilities and responsibilities for risk are well documented - A critical component of risk management integration is including responsibility and accountability (authority, resources, competences) for managing risks into all business activities. Top management should ensure that responsibilities and authority for relevant roles with respect to risk management are assigned and communicated at all levels of the organisation.
  
• Evidence of risk management competencies - Risk management competences should be developed in all core business units. Risk management competences should also become an important attribute when hiring new personnel to the organisation.
  
• Evidence of risk management training and awareness - All employees should receive risk management training appropriate to their level and risk exposure.
  
• Whether individual performance management considers risk information - Mature organisations align individual performance management with risk management. Employees should have individual key performance indicators relating to the management of risk and their participation in the risk management processes.
  
• Evidence of open communication and transparency - Information about the risks is openly discussed during the decision-making process. Significant risks are given due attention at the management and Board meetings. Executives are receptive to bad news and are ready to discuss risks and risk mitigations.
  

Risk managers should regularly discuss culture and attitude to risk with senior management and the Board, as well as help communicate Board and senior management expectations to the employees.