A recent posting by McKinsey & Company talks about "managing the people side of risk". Part of their discussion is about the properties of a "strong risk culture" which are worth a mention here at Musings:
Acknowledge Risk: Everyone knows that risks should be acknowledged (no news there), but to actually have the courage to do it consistently is the sign of a strong culture. We read: “If we see it, identify it, and size it, then even if it’s horrible, we’ll be able to manage it.”
Encourage transparency: Sometimes accepted practices "... unintentionally reduce transparency regarding risk. For example, at one .... company, the culture thrives on competitive teams. Competitiveness is so strong that product-development teams use subtly different risk classifications so that their respective projects can’t be directly compared."
Respect risk: "Companies often unconsciously celebrate a “beat the system” mind-set, rewarding people who create new businesses, launch projects, or obtain approvals ....—even if it means working around control functions ....." But, in the long run such rogue activity can be destructive by its overall culture of disrespect; others have shown that .... "In the best of cases, respect for rules can be a powerful source of competitive advantage." At first blush, this is not intuitively obvious, by the McKinsey folks say: "... confidence in proceeding [with a risky venture] resulted from an exhaustive risk debate [in accordance with rules and controls] that reduced fear of failure and encouraged greater boldness..."
Check out these books I've written in the library at Square Peg Consulting