Risk management has become a key function in almost every large company, but all too frequently it makes an organization so risk-averse that initiative and innovation become paralyzed.
A central part of the problem is that risk managers, mainly reporting to the chief executive officer, tend to see their role as one that’s apart from other employees—as some sort of überguardian of the organization. This is a mistake.
The role of risk manager should be to help build a culture that encourages all employees to take risks—prudent risks, of course. That builds resilience into a company without stifling progress. With shared responsibility for assessing what could put an organization at peril comes a sense of motivation, ownership, and self-reliance—as well as improved decision-making—throughout all levels of the company.
The risk manager needs to shift employees’ attitudes about risk from one of fear and silence toward one of collaboration and teamwork. This mindset change can be summed up as moving from preventing people from doing things (“don’t do”) to giving them a road map that allows them to do things freely, but within a common set of guidelines (“this is how you navigate”).
As part of this transition, bring risk into the present tense and talk about it in real terms, rather than as a vague concept that employees can be reprimanded for overlooking. To deal with the external threats of hackers and lawsuits, for example, make them transparent for the employees. Communicate widely about risk. Have everyone weigh in and map out the areas they see as vulnerabilities. After all, the employees are in the best position to identify such vulnerable elements inside and outside the company.
Break down the walls by creating a companywide intranet for internal posts. Put out a question about risk, and meet to congratulate the person who comes up with the best answer or solution. This is the corporate equivalent of “If you see something, say something”–involving everyone in the organization means there will be eyes literally everywhere. As more employees take a personal interest in the company’s well-being, the risk manager, collecting intelligence iteratively, becomes much more likely to identify the weak links.
Making risk management part of the corporate culture will help create smart, resilient companies and enable them to continue to innovate.