If you knew that an action you were contemplating could conceivably cost your organization billions of dollars, permanently ruin its reputation and maybe get the CEO fired for good measure, would you risk it? I'm going to go out on a limb and say you probably wouldn't. Yet people do it all the time. Why?
At the Chief Risk Officer Summit in Sydney last month, Antoine Le Tard, RSA's General Manager for Australia and New Zealand, made a powerful case that the reason lies in an organization's risk culture. Is it a resilient risk culture, i.e., one that teaches people about the risks and consequences of their actions, and models risk-averse behavior from the top down? Or does the culture, instead, tolerate people unknowingly (or knowingly, in some cases) engaging in high-risk behavior? If it does, look out -because it's no exaggeration to say the outcome can be catastrophic.
Le Tard points to an example of the consequences of a weak risk culture pervading an organization. He describes a situation in which senior leadership of a manufacturing company allowed engineers to cross ethical boundaries that made it appear their products complied with legal requirements when they did not. Ten years and billions of dollars in penalties later, it seems clear their choice came at a very high cost.
Perhaps employees weren't aware of the risk, or didn't fully appreciate what would happen as a result of their actions. Le Tard's positon is that leadership teams should encourage a strong risk culture where employees are risk aware, understand the consequences of their decisions and are not afraid to raise objections when necessary.
Risk awareness and leadership from the top are two defining characteristics of a resilient risk culture that could have prevented the negative impact described above. You need both in place to build that culture. You also need security policies and technologies that protect against risk. Think about an everyday risk scenario such as phishing. In a resilient risk culture, all these factors come together to control the risk: employees who are taught to be on the alert for schemes, security technology that adds a strong layer of defense, and business and IT leaders who understand the importance of both in managing the risk.
The RSA Archer® Governance, Risk & Compliance (GRC) platform provides the technology foundation for a resilient risk culture, but to make the most of that technology requires a commitment to risk awareness at every level of the organization. Find out more about the building blocks of resilient risk culture in Antoine Le Tard's recent article on the topic in CSO Online.