Cultivating a Risk Aware Culture

A security manager’s toughest task is to help build a culture of awareness in regards to the risks threatening the organization. The term risk-aware culture is commonly discussed in organizations working to establish an information security management system. The International Standards for the ISO 31000 framework are very clear on the expectations of an organization‘s risk-aware culture and in order to pass the certification process for ISO 27001, the organization must establish a visible environment and culture that cultivates risk awareness.

What is a risk-aware culture?

We define it as a foundation of values, knowledge, beliefs, understanding and communication of the risks associated to the organization‘s objectives and assets necessary to achieving the objectives.

The definition of the word culture according to the *Oxford dictionary online, as it pertains to a group of people, is: the ideas, customs, and social behavior of a particular people or society.

Risk awareness may also be defined as a capability of the organization to recognize risks before they threaten, mitigate them when they arise, and recover from the damages they may cause. Creating a risk aware culture suggests that the capability is present throughout the organization and it is woven into the normal routines, rituals, and behaviors of all those involved. In creating a risk-aware culture you will need to bring together a collective group of individuals (the organization) to establish and maintain your culture for risk awareness. This can be a daunting task for any Operational Risk Manager, Chief Information Officer, or Director of IT, who is responsible for the risk awareness of the organization.

The first step is the Leadership (Executives and top management) demonstrate their leadership and commitment to the information security management system by collectively establishing core values and the policies and procedures for the organization. This initial stage is outlined in the ISO/IEC 27001:2013 (5 – Leadership) and it is a must have for the certification process to begin. The risk management responsibility will then be shared across the leadership of the organization once the Risk Manager has the buy in from her colleagues. Without the commitment and leadership of the management team, the risk manager‘s job to protect the assets of the organization will be extremely difficult, if not impossible.

Once the Leadership has established the foundation for building the risk aware culture, the next steps are for knowledge sharing with the other members of the organization. This includes issuing written documentation of the policies and procedure, personal contact with individuals to express the specifics of said policies and procedures, and continuous education of the importance of the risk awareness. A specific procedure for reporting potential risks that includes an anonymous option for those who don‘t wish to be identified by her peers is necessity.

Improving risk awareness requires more than just modeling and communicating appropriate behaviors. The hardest aspect of building a successful risk aware culture is to garner the buy in from the majority, if not all, members of the organization. This stage of the information security management process can be a challenge, especially when you consider the potential difficulties in constantly communicating the messages related to risk awareness. The leadership has to discover the training techniques that work best within the organization to reduce overall risk. A few examples include: security risk topic of the week, reward program for reporting risk, visual signs and posters expressing specific concerns to watch for, and improving the delivery of the messages.

We are living in a digital age and the video media content we are exposed to daily is incredible. A great technique is the use of security videos that demonstrate risk scenarios and how to overcome. The boring welcome to the company, safety and security videos that many of us have been exposed to are not the answer, but an up to date approach with modern topics, such as “Personal Mobile Devices at Work.” There are companies who specialize in creating these videos, such as AwareGo. The company makes the security awareness and compliance training more engaging and entertaining through a somewhat comical, yet important message delivery. The organization could decide to empower staff members to create these videos on their own, helping to internalize the security concepts of the organization. The staff will relate better by watching fellow team members act out the scenarios.

Another great example of risk awareness education is to bring individual employees in to discuss the assets and procedures he is directly responsible for. By spending the time to introduce the employees to these specific assets, threats and mitigating controls, the individual can get a clear perspective on how his actions impact the organization. The individuals may even walk away from the meeting with a teachable point of view that he is able to share with coworkers, to further extend the reach of the leadership risk management team.

Three key points to keep in mind when cultivating a risk aware culture in your organization:

• Risk awareness for Executives is about leadership and process management
• Risk awareness for Managers is about integration and execution of policies and procedures
• Risk awareness for Staff Members is about embracing the shared knowledge culture

When an organization‘s culture is risk aware, people know their risks, are comfortable discussing their risks with others, and are willing to help others resolve risks.

This article is not meant to be an advertisement, simply a few ideas and suggestions for anyone who is responsible for building a risk aware culture in an organization. Our risk management software doesn’t help you build a risk aware culture, but it definitely will save you time in your risk management process, freeing up time to focus on the culture. If you wish to contact us, please visit our website or send us an email.