



Addressing risk management in the company requires a series of skills for which we are apparently unable to measure the effects of their application.
Risk is a potential event of the future, and this makes us understand that it is necessary to plan activities to prevent, mitigate or restore the effect of the event. The planning must then be put into practice with the right resources because otherwise the planned interventions will lack effectiveness. The involvement of appropriate roles ensures that operations are carried out in the expected times and with the right effort. All interested parties are involved in an organizational communication process that makes clear what the task is to be carried out, when to do it, how, and with whom. Human resources have been previously trained on the tasks to be carried out and their ability to act in an emergency has been verified.
All this requires prompt decisions, including reasoning the costs and effectiveness of the interventions, and the consequences and benefits to the business. In other words, it means having a mature capacity to manage a set of rules, attitudes and behaviors relating to awareness, management and risk control. More precisely, we are addressing what is known as “risk culture.”
Risk culture is a concept that is not directly measurable because it does not have a form or effect that allows us to define a specific metric, but it still gives rise to many clues that it exists and that it is part of the daily decisions of the business at every level. Knowledge of the state of maturity reached in the risk culture is essential to allow us to adjust the risk attitude and improve the way we deal with it. This improvement is reflected in the ability to increase the value of the business.
Measuring risk culture requires the capacity to assess meaningful indicators of the way decisions are made, how they are applied on a daily basis, how results are monitored, and the way in which difficulties are reacted to. By aggregating these assessments, we indirectly obtain a measure that represents the degree of application of risk culture in an organization.
My recent ISACA Journal article tries to identify the most significant elements for risk culture and evaluate them with a maturity model based on the progressive achievement of thresholds that indicate a growing ability to satisfy the constitutive requirements.
As a suggestion of behavioral areas to be used in the evaluation of risk culture in the company, the ability to communicate the correct information, the ability to provide the right training on the tasks to be performed, the ability to understand risks and incidents, the ability to provide adequate resources for the needs, the ability to establish the roles and responsibilities suitable for general operations and the ability to act according to principles of ethics and transparency are proposed.
Which maturity model is possible to choose, which indicators to prefer, how to carry out the assessment, or what considerations to make on the mathematical model, are all details explored in my article.
Editor’s note: For additional insights on this topic, read Luigi’s volume 3 ISACA Journal article, “The Measurability of Risk Culture.”