Call to Action 4: Risk Culture and Maturity



This article is part one of a series unpacking the five Call To Actions in IRMSA’s 2021 Risk Report. To learn more about the five CTAs and the report, please read this blog from thryve’s Managing Director.

As the fourth Call To Action in IRMSA’s 2021 Risk Report notes, all the risk management excellence in the world isn’t of much use without including human culture and behaviour. If your risk management environment primarily focuses on frameworks and processes, you neglect an essential part of modern and integrated risk management.

CTA 4 states that the organisation’s culture efforts and human capital management function must drive its risk culture. Risk management requires clear roles and responsibilities outside of the risk department and to extend the reach and knowledge of risk managers. CTA 4 also calls for well-articulated accountability frameworks for risk management activities, and clearly-defined escalation rules around risk appetites and risk responses for consequence management.

This kind of risk needs several ingredients. It must have the proper maturity to support its organisation and behave in a resilient and intelligent manner, complete with transparent and integrated reporting. Buy-in from the highest levels for strategic and integrated ‘sense and respond’ risk management is crucial. Managers should understand what constitutes acceptable risk, and their risk responsibilities should be tied to key performance indicators.

In other words, risk management should be woven into the fabric of organisational operations, thus leveraging that culture. Doing so used to be near impossible. The slow processes governing risk management could not keep pace with the business’ shifting realities, which couldn’t afford to wait for more accurate answers.

IRM software such as Riskonnect offers broad integration and information gathering that collects risk data and extends risk services to different people in the company. Various modules can serve different departments, and a variety of frameworks, and different risk questionnaires and escalation rules can exist under one roof without confusion.

For example, Riskonnect’s Cyber Risk Module bridges the information silos between risk managers and security specialists. And thryve’s Audit and Assessment Management solution customises relevant risk assessment tools such as questionnaires to different respondents while still maintaining a unified risk picture. Instead of creating uniformity at the touchpoints, you can harness the diversity of risk input and build a single truth out of the different contributions. This approach applies to internal workforces, supply chain partners or even managing the affairs of corporate customers.

Achieving the above comes from a combination of IRM systems and the right partner to handle the orchestration. They ensure the IRM system embraces the right business processes and serves the right services to the right people. That includes learning from different stakeholders what they need, thus helping risk management gain relevancy at all levels. This is thryve’s differentiator: we know IRM software, and we know the risk management world even better. We understand the pitfalls and uncertainties of radically modernising risk systems and bringing culture into the equation.