5 Steps for Creating a Risk-Ready Company Culture

Part of the thrill of working for new clients is the opportunity to learn. Through the years I learned about shared services for automobile airbag safety, rural health care and combat-veteran recovery, among other topics. 

Recently, I joined a team doing enterprise risk management (ERM) work, and once again began a journey of learning. I had little time to study the subject before my first client meeting with a large federal health care agency, so beforehand I told the project lead that I wouldn’t talk much during the meeting because I didn’t yet know enough about the topic to contribute. 

I’ve since learned that enterprise risk management addresses an organization’s full spectrum of internal and external risks. It both protects and creates value for the organization. 

Our team spent the last year designing an ERM program that would work across the health care agency’s clinical, scientific and operational business units. Designing the comprehensive program was not an easy task, as each unit has its own business requirements, cultures and operating models. My job was to create a communications plan for the initiative, help roll out the program and bring it to life for employees. 

As I listened during that first meeting, I eventually spoke up and asked a few scenario-based questions to test my understanding of enterprise risk. I realized that although I wasn’t yet familiar with ERM, my career as a communicator had given me experience with risk and what happens when it’s not prepared for and addressed clearly and quickly. Most communicators have learned to sniff out risk, because we’re constantly thinking: “What if something goes wrong? What is the worst thing that can happen?” 

Focusing on the cause

While many organizations focus on finding and preventing risk, few address what usually causes that risk: people. Risk cannot be fully eliminated because people run organizations. Bad decisions will be made. A standard operating procedure will be skimmed over. Risks will occur. 

Communicators can add value in the battle against risk by helping organizations create a risk-ready culture. Think of it as a “see something, say something” campaign for internal risks. Employees at all levels have to get comfortable regularly talking about it.

Normalizing risk makes it solvable. We have to first name our fears before we can address them. When employees don’t feel comfortable talking about risk or know how to report one, the risk can fester and grow.

Here are five communications tactics to cultivate a risk-ready culture and support enterprise risk management:

1. Communicate about risk readiness.

The shift to a risk-ready company culture requires that all employees hear about risk from their managers and supervisors through emails, team and one-on-one meetings, working sessions, etc. Employees should also hear about risk from company leaders in more formal settings such as all-hands meetings, conferences, talent reviews and annual reports. Communicators can shape everyday messages about risk that will resonate with various audiences. 

2. Hold risk-ready conversations.

Rather than make enterprise risk management an annual process or campaign, communicators can sustain the conversation year-round by normalizing risk-centered discussions. For one client, my team created bimonthly, risk-ready conversation toolkits. Each kit included talking points, discussion questions and a fact sheet, among other components, all designed to help managers have open discussions about risk with a unified voice across the organization. 

3. Build in risk-ready feedback loops.

A good enterprise risk management program incorporates staff and customer feedback into the process. Communicators can then use this feedback to create targeted risk-management materials for different stakeholders, adjust messages that are not “sticking,” and address ongoing employee concerns.

4. Use surveys to track progress.

While an enterprise risk management program evaluates the risk-management process, communicators should evaluate the maturity of the organization’s risk-ready culture. Consider using quarterly surveys with several questions to track the progress of your staff’s understanding of enterprise risk management, their role in the process and their comfort talking about or reporting risks.

5. Reward risk-readiness.

We can never go wrong rewarding risk-readiness behavior. Organizations can develop some form of open recognition, such as a certificate, that anyone can access to acknowledge a co-worker. Better yet, performance reviews can include recognition metrics to anchor risk-readiness behavior into an organization’s long-term culture.

For communicators to fully support an enterprise risk management program, they have to be part of the program’s management team from the start, rather than being pulled in after the initiative has already been built. The more clearly communicators can see potential dangers, the better equipped they are to prepare crisis communications plans and risk-specific messages. 

photo credit: richard drury