Skip to main content

Creating a More Sophisticated Risk Management Culture

Organizations that follow a formal process of risk management are generally more resilient than those that do not, and they are better able to navigate crises because the process is embedded within their corporate culture to make sure that they're proactively trying to identify emerging risks regularly.

Companies with a more mature and governed risk program are likely to fare better in volatile times and more quickly gain consensus on steps their organization should take to address and mitigate problems as well as to unite stakeholders from across the risk, finance, legal and operations suite on strategies for the future.

While developing a sophisticated risk management culture won't happen overnight, these three steps can get you started down the path of a more strategic approach.

Assess Your Current Risk Maturity

Getting better starts with knowing where your risk management practices stand now, compared with your peers, as well as across different parts of your organization.

Organizations need tools to assess their risk maturity. That is why, in 2011, Aon developed the Aon Risk Maturity Index along with thought leaders at the Wharton School of the University of Pennsylvania. The index helps senior finance, risk and legal professionals understand their current position and how they can grow in their risk management practices.

The Risk Maturity Index is a framework to divide risk management knowledge into five essential levels:

  1. In the initial level of risk maturity, the organization and executives identify and address risks within silos only. The components and activities of the risk management process are limited in scope and implemented in an ad-hoc manner.
  2. A basic level of risk maturity means risk management activities occur at the functional level rather than at the enterprise level. Organizations and people emphasize compliance and risk data is considered informally or implicitly in decision making.
  3. With a defined level of risk maturity, organizations and managers understand and address their primary risks. They have the capabilities to measure, manage and monitor risks, but apply those metrics inconsistently across the organization.
  4. An operational level of risk maturity among organizations and professionals means they have a clear understanding of the organization's main risks and a consistent execution of activities to address these risks.
  5. With an advanced level of risk maturity, organizations and executives have a core strength to identify, measure, manage and monitor risks. Risk management processes are dynamic, adapt to changing business cycles and provide a competitive advantage.

Figuring out where you and your organization fit into the risk maturity spectrum can help your senior executives navigate uncertain environments and improve financial performance.

Prioritize Board Involvement

Risk management and strategy are deeply intertwined. Organizations that excel at strategic risk management involve the board in conversations about long-term risks at least quarterly. A board-level understanding of, and commitment to, risk management is critical for decision-making and driving value.

Board involvement requires strong leadership across the organization. A senior-level executive should facilitate the risk management processes and development with the board. That leader should transparently communicate the risks faced by the organization routinely to the board and involve all key stakeholders in developing risk management policies and strategies.

The volatile world demands more board involvement in risk management. Increasingly, boards of directors are obligated, in the case of regulated entities, or challenged to know the significant risks their organizations face and how these risks are managed.

Risk maturity at the board level affects financial performance. For example, insurers providing directors and officers (D&O) insurance, a type of management liability insurance covering directors and officers for claims made against them while serving on a board, consider the board's approach to risk management as part of their underwriting process. Aon has found a correlation between higher risk maturity and lower D&O insurance premium rates over time.

Embed Risk Strategy Throughout the Organization

A sophisticated risk management culture flows from big-picture strategy down into every aspect of the organization. Executives and managers have processes and tools in place to identify risks early. People are empowered to work together to address emerging threats. The culture naturally promotes an advanced level of risk maturity.

A risk management culture requires data and analytics to thrive. These tools help employees identify risks early and incorporate operational and financial risk information into decision making and governance processes.

Better data and analytics often lead to an increased understanding of risk appetite and the total cost of risk. The goal should be to use sophisticated quantification methods to identify risk and demonstrate added financial value through risk management. It takes expanding the perspective from risk avoidance and mitigation to risk financing as a core part of how an organization drives financial performance.

A best-in-class risk management culture encourages full engagement and accountability at all levels of the organization. As uncertainty and volatility increase, risk managers are tasked with fostering this culture to preserve and grow their businesses.