Your Transformation Initiatives Might Be Impeded by a Passive Risk Culture

Corporate Governance

Your Transformation Initiatives Might Be Impeded by a Passive Risk Culture

  • Your Transformation Initiatives Might Be Impeded by a Passive Risk Culture Five thoughtful actions for boards to lay the groundwork for a robust, forward-looking approach to risks that support companies’ aspiration to innovate, digitalise and drive sustainability.
  • Date: Apr 21, 2022
  • Category: Corporate Governance
  • Print

Five thoughtful actions for boards to lay the groundwork for a robust, forward-looking approach to risks that support companies’ aspiration to innovate, digitalise and drive sustainability.

By Michele Kythe Lim and Grant Griffiths

In the past few years, the world, driven by Covid-19, has pivoted in ways most of us could not have predicted. On the back of that, companies are embarking on a series of transformation programmes, particularly to become more digitally mature as well as more sustainable on the triple bottom line of people, planet and profit.

However, doing business in today’s volatile climate is itself a tall order as companies have to juggle a vast network of evolving risks – internal, external and existential – with greater complexity and inter-connectedness than ever before. Managing large-scale transformations during these times will bring further uncertainty and raise the risk levels, but the opportunity to implement long-term sustainable change is one that companies cannot afford to ignore.

Therefore, it is no surprise that there has been a renewed focus on managing risks in the boardroom. In the ICDM 2022 ASEAN Board Trends Survey, we found that ASEAN boards are looking to elevate their oversight capabilities in risk, with the risk management committee (54%) emerging as the top board role requiring improvement in 2022.

From Passive to Proactive

In many organisations, there has been a tendency to deal with risk passively, regarding it as a compliance-oriented matter and conflating risk with finance and audit. This often results in missed opportunities in identifying areas of growth alongside the required levels of oversight to deliver breakthrough performance.

Instead, companies should develop a greater capacity to think of risk as being a proactive way of understanding uncertainty and the factors that can positively impact strategic outcomes. There is also a need to reframe the perception of risk from “something to be avoided” to “something to be explored”. After all, risk is embedded in the organisation’s pursuit of success.

A passive risk culture hinders transformative initiatives as it does not promote either innovation or the environment for new ideas, let alone providing the supportive culture necessary to facilitate an open dialogue on risk and opportunity, which ultimately drives success. A passive risk culture focuses on short-term mitigation plans which are often reactive in nature, rather than more robust, proactive and value-creating risk responses.

Amidst extensive programmes to drive innovation, digitalisation and sustainability, the risk management strategy should be refreshed in tandem with the aspirations for resilience and long-term growth. That means moving away from a controls-oriented risk approach and towards one that is dynamic and forward-looking. A forward-looking risk culture and setting the necessary tone for ensuring the right risk culture is perpetuated and driven by an organisation’s leadership.


While risk culture can be challenging for many organisations it can be defined through ten dimensions across four key areas: acknowledgement, responsiveness, transparency and respect, as outlined in Exhibit 1.

Exhibit 1:


Risk policies, procedures, and systems, regardless of how well-crafted and sophisticated, are only as good as the people responsible for executing them. Their mindsets, practices and behaviours will make or break the risk management strategy.

As part of the boards’ risk oversight duty, it is worthwhile for directors to allocate time and energy to create conditions that engender the desired risk culture. Here are five thoughtful actions boards can take to set the tone for a robust, forward-looking risk culture.


1. Align risk with strategy

Building a strategically focussed, proactive enterprise risk management mindset starting at the top

As the first step to transition from a controls-oriented approach to a proactive enterprise risk management mindset, boards should look at strategy development from the perspective of risk and opportunity management. For example, if a retail company’s vision is to be environmentally sustainable, their strategy development should include a consideration of potential scenarios, threats and opportunities, ranging from stakeholder expectations to regulatory requirements, and from tech disruptions to the environmental, social and governance (ESG) factors. Such an exercise brings greater insight and offers clearer direction. By understanding the gaps, strengths and weaknesses of the company, the board and management can arrive at a strategy that is far more purposeful and impactful and as an enabler in making the desired transformation happen.

Upon settling on a strategy, aligning risk with the execution of the strategy from the outset at the board level also allows companies to explicitly pinpoint the critical risks that would influence outcomes. For instance, if the strategy for the above-mentioned retail company is to digitalise and venture into the e-commerce space, it would have to consider risks in data privacy, cybersecurity, logistics, customer experience, the carbon footprint associated with packaging and delivery, as well as human capital. And let’s not forget the project-related risks associated with the development and implementation of new processes, systems and people needed to deliver the expected outcomes. Greater awareness of these risks increases agility and responsiveness by providing greater foresight in mitigating potential threats and capturing emerging opportunities, thus offering the retail company a smoother market entry and a better chance to get ahead and benefit from the upsides.

In a nutshell, building a proactive risk culture is the very foundation of successfully aligning risk and strategy, which in turn influences behaviours and performance.


2. Find clarity in diversity

Diversity plays a critical role in shaping the board and the organisation’s attitudes towards risk

Humans are at the core of risk oversight and management. Directors’ personal predispositions will influence boardroom discussions on risk. Board diversity, therefore, plays a critical role in forming the board and the organisation’s attitudes towards risk as imbalanced boards are more likely to have a distorted view of risk. Based on our observation, many boards today lack the diversity of thought, experience and skills to perpetuate deep discussions on risk.

Research shows greater board diversity fosters more efficient risk-taking, and organisations with diverse board members invest persistently more in research and development (R&D) and have more efficient innovation processes. This truly emphasises the importance of having a balanced board composition. For example, members with a legal background will have a very different perspective on risk from members who are entrepreneurs or members who used to be diplomats. By coming together, they form a more holistic risk perspective that will give the company a better chance of achieving sustainable performance.

Moreover, risk should not be treated in isolation and nor should it fall on just one director with “risk expertise” to act as the sole stakeholder and authority on risk. It requires diversity of experience, thought and seniority, all contributing their collective wisdom as a board to ensure the culture is cultivated right across all functions, departments, geographies, as well as with stakeholders including joint venture partners and the supply chain (extended enterprise).


3. Adopt networked thinking

Making sense of the growing interconnectedness of risks to build greater risk awareness

In an increasingly interconnected world, risks do not exist in isolation. Like humans, they form interdependent, complex networks. Events and technological advances have often been viewed in isolation when in fact many of the events, changes and innovations taking place elsewhere or in other industries can, and usually do, have an impact on organisations on a more global basis. 

The instant noodles manufacturers in China saw a drastic decline in sales between 2013-2016. Amongst the key unexpected contributors to the drop turned out to be the explosive growth of China's high-speed railway networks and the rise of instant food delivery. 

Networked thinking provides organisations with an opportunity to develop a broader understanding of how external market forces can impact the business, be it supply chain, resources management or even reputation. Being able to make sense of the interconnected nature of risk forms the baseline for organisational resilience.


4. Empower everyone to take action

Drive risk collaboration by encouraging open communication and risk-informed decision-making across all business units

Creating an environment where conversations on risk are encouraged is an important first step. A risk-aware culture where employees feel safe to speak up and take action will be extremely beneficial in providing early warning and enabling speedy response to crises.

An excellent example can be seen in the oil & gas sector. Employees are encouraged to act if they see or even suspect something hazardous is likely to occur. They do so with the knowledge that there will be no adverse repercussions for taking action even if it means ceasing operations with a loss of production and revenue, despite the pressure to achieve performance targets. 

Contrast this with the practice of days past when taking such action usually resulted in recriminations and retaliation from managers and peers. Interestingly, we saw a far greater number of major incidents and disasters happening when the culture did not support a risk-aware approach and did not empower people to proactively take action to manage risk.


5. Allow room for failures

Making risk less personal and incentivising smart risk-taking to capture growth opportunities

Executives and managers in large corporations are often discouraged from proposing or advocating for out-of-the-box but risky projects despite knowing that they could be good for the company. This can largely be attributed to fear of jeopardising their careers should the projects fail. Allowing room for failures through a test-and-learn approach can greatly reduce risk aversion amongst the workforce and enhance the company’s ability to capture and successfully exploit growth opportunities.

This requires the board to clearly define the risk appetite and communicate the mindset and behaviours expected in the day-to-day decision-making process. One crucial practice to consider is the use of scenarios, decision trees or other methods to map out likely outcomes - both positive and negative outcomes – bringing greater clarity along with the ability to better track and measure risks and outcomes, before deciding to embark on a project. Even if the project fails, it is not done in vain as companies can derive from it lessons learned that can be applied for future endeavours.

Exhibit 2:


Risk management is a perennial feature in business. However, as the business landscape evolves, the risk management approach must also evolve to meet the growing need for change and adaptability. Having a proactive risk culture to support the risk frameworks and processes will give your transformation initiatives a better chance of success. The impact of the tone from the top cannot be overstated and boards must first exemplify the risk culture they want the organisation to adopt by setting the tone and living the values. But to get there it needs boards to have honest conversations on risk and risk taking.

Does Your Company Have a Proactive Risk Culture?

Culture in an organisation can be defined as “how things get done around here” and risk culture is a subset of organisational culture. Risk culture is about how risk is viewed, dealt with, and how well understood it is. Here is a checklist the board can use to determine the company’s current state of risk culture.

  1. Are the company’s risks aligned with the strategies?
  2. Do we have a clearly defined risk appetite?
  3. How well understood is risk and risk management?
  4. Does everyone understand their role in managing risk?
  5. Is risk embedded in the day-to-day decision-making and execution?
  6. Are our reward structures such that we reward taking action to proactively manage risks?
  7. Does the workplace encourage people to speak up?
  8. Do we have a test-and-learn mindset and room to learn from failure?

About the Authors:

  1. Michele Kythe Lim is the President and CEO of the Institute of Corporate Directors Malaysia (ICDM) . Under her leadership, ICDM has embarked on a series of director development programmes, board advisory services, as well as research and advocacy projects to build and strengthen the country’s corporate governance standards and culture. Michele works with a wide range of boards and directors, from both the government and the private sectors.
  2. Grant Griffiths is a non-executive director and risk & governance professional who has held senior leadership roles with private and public sector organisations in consulting, energy & renewables, engineering & construction, technology and financial services sectors across the Asia Pacific, UK and EMEA regions. He advises boards, directors and executive teams on transforming culture, implementing ESG, sustainability and risk / ERM / resilience capabilities to create future-ready enterprises. He is a Global Ambassador for the Institute of Risk Management.
  • Tags : Corporate Governance

Other Trending