Neil Hodge looks at ways of raising risk awareness

In the wake of Enron, WorldCom, Equitable Life, Shell and Parmalat, good risk management has become synonymous with good corporate governance.

As a result, organisations are being forced to boost their internal controls and constantly question executive decision-making to make sure that best practice is paramount and that previously ignored risks are now on the boardroom's radar screen.

In June last year professional services firm PricewaterhouseCoopers found in a survey of more than 130 senior executives in financial institutions worldwide that 82% thought that risk awareness is now more pervasive in their organisations than it was two years ago. Nearly three-quarters (73%) agreed that their organisations now define their appetite for risk more clearly.

However, the survey also found that risk management remains primarily focused on meeting regulatory requirements, and that a culture of risk awareness has yet to emerge in most organisations.

Everyone involved

The present management trend is to get all workers to take the business of minimising risk and assessing future hazards seriously. Jeremy Ward, a risk consultant at Symantec which specialises in information security, says that it is particularly important for all members of staff to be trained to be risk-conscious, if only because the communications revolution has made it so easy for an unwary employee to wreak havoc.

"Let's face it, the people far down the corporate food chain often have access to amazing amounts of data that could be incredibly risky if it got in the wrong hands," says Ward.

However, one of the key problems that organisations have is to state clearly what they view as critical and non-critical risks and to instill a culture where everyone in the organisation appreciates risk in the same way. Professor Brian Toft, director of research at Marsh Risk Management Consulting, says that people's perceptions of risk are based on their life experiences.

"If someone has always lived with his parents and done what he is told, he is likely to be risk averse, unlikely to identify potential risks, or even bother to raise them with management if he has suspicions," says Toft. "Conversely, someone who enjoys dangerous sports, for example, is much more likely to be a risk-taker, even when those risks fly in the face of common sense."

John Colley, chairman of (ISC)2, a training body for information security professionals, says that the first rule for raising risk awareness in a company is not simply to preach a series of diktats to workers but to explain the risks involved.

ANZ, the Australian bank, took such an approach some years ago. The bank developed a programme to assess the company's risk, which got as many people involved as possible. At the project's peak, the bank had around one-third of its employees involved in developing the group's risk management policy.

Some organisations, such as Secoda, have developed sophisticated IT products that can help make employees aware of all the policies that impact important areas of the business. The company's RuleSafe package is an intranet-based product and provides a one-stop site for employees to learn exactly what policies they need to be aware of, at any given time, quickly and easily.

The package enables management to track understanding and compliance across the organisation. The software's 'click-to-accept' feature asks users to confirm they have read and understood each policy sent through to their desktops.

However, the main drawback with such software is that it can lead to box-ticking compliance, rather than a genuine understanding of risks to the business and how those risks should be mitigated. Furthermore, such initiatives can lead to a top-down approach where management retains the lead.

David Gamble, executive director of AIRMIC, believes that management-level decision-making can seriously hinder an organisation's risk awareness.

He says that risk analyses are usually based on the opinions of a select few, and can cut out the opinions of over 90% of the workforce.

"The problem that infects too many organisations is that the people who define what risk is and how it is to be managed are often all very like-minded, have worked at the same organisation for years and have very similar career backgrounds," says Gamble. "That usually results in a limited discussion of broader risks to the business, and more often than not a complete disregard for risk awareness issues raised by anyone outside management."

Gamble says that organisations that tend to have a better understanding of risk awareness are those which encourage all employees to think about risk and controls; that have risk, assurance, and compliance departments staffed with people from very different professional backgrounds, and boards that are prepared to challenge their assumptions.

"The traditional view that the only way someone could understand the business is to stay there forever is dying out. There is a much greater realisation that organisations can benefit more from people discussing how risks were identified and managed in their previous organisations and industries."

Toft agrees that organisations should publicise best and worst practice, so that people can develop their sense of risk awareness. He also says that it is vital for organisations to foster an open and honest culture in the workplace, where people at all levels can voice their concerns.

"There is still a reluctance in many organisations for people to come forward and highlight problems because they feel that they might be criticising management and be sidelined as troublemakers. That culture needs to be stamped out."

- Neil Hodge is a freelance journalist.