How to transition from an 'active' to a passive risk culture

How to transition from an ‘active’ to a passive risk culture

The Royal Commission’s findings against NAB, CBA and others, coupled with the recent Westpac scandal, have revealed that money doesn’t buy you happiness. Similarly, an infinite number of systems and resources are no guarantee of establishing a forward-thinking and ethical business culture.
By Irini Agollari – Legal, Risk & Compliance at InnoWell

The question is, what can Risk leaders do to move beyond imbedding a risk culture that merely ‘prevents breaches’ to one that proactively meets community expectations?

With consumer confidence at record lows, it is vital businesses act with greater transparency, understanding and integrity.

As Risk leaders, we are pivotal in creating this powerful change. This is how.

1. Commit to being part of the solution

Your colleagues expect more from you than to be the ‘handbrake’, the anticlimax, the woman (although more often the man) in the room that tells them they can’t launch a product or innovate their offerings because the risk is too high.

Our profession needs to move away from this paternalistic relationship with other areas of the business if we want to have our voices heard. Building a financially viable business is paramount, but to do so we need to build trust and credibility in the communities we service.

We need to differentiate ourselves from our competitors by championing integrity – if this message is celebrated, if it is lived and breathed throughout the company, then it becomes part of the value proposition.

You can’t build a strong risk culture if your colleagues fail to see you as one of them. Risk leaders need to re-invent themselves as business leaders. They need to think creatively and replace their “no can do” attitudes with “how else can we do this?” and be part of the solution.

2. Be open to co-design

We live in a world where Risk leaders are burdened by the bureaucratic and archaic software tools that they’ve inherited from their predecessors.

If you want people to adopt change, co-design systems and processes that work for real people.

I recently ran a series of risk workshops at InnoWell to introduce our new and shiny risk strategy, accompanied by an overall risk resilience framework and processes that underpin it. It was all approved and given the green light by the CEO and the Board. I was so excited to roll it out to the team of software engineers and developers. My hope was that it would drive a stronger understanding around risk management (especially privacy compliance).

As I started my presentation, I saw a few eyes roll – not the greatest of starts. As I persisted, several attendees took out their smartphones and lost interest all together. At first, I didn’t know what to do.

When confronted with such a scenario you have two options.

Either you can bang on the table and insist on their full and undivided attention or put your pride to one side and simply ask “why”.

Needless to say, I opted for the latter. “What is it?” I asked, “What have I missed?” looking straight at the CTO.

Engineers, developers and technologists can often be overly analytical and detail oriented. They’re the ‘doers’, the oil engine, the backbone of the company. They are not interested in politics, strategising or “selling” their ideas. They know what they need to do – build a product that solves a problem and make sure it doesn’t break.

At their core, they want everyone else to stay out of the way.

I vividly remember a senior leader politely telling me that:

“Risk people are like pelicans flapping their wings and creating noise.”


It was then that it hit me. I had used my so called “10 years’ experience” to develop a best practice approach to risk, with the tools and templates that are ‘best practice’.

My approach, albeit impressive at the leadership level, had failed to consider that to drive “change” and adopt a new way of working, you must speak to people in a language familiar to them. In fact, a large part of that process involves adopting tools and systems they already use.

My presentation to the tech team that day transformed into a co-design workshop. By working collaboratively, we adopted a completely new approach to risks management. By applying tools like JIRA and Asana we avoided duplication and improved compliance whilst reducing privacy risks significantly.

To build a strong risk culture, you need to co-design systems with the people that will actually use them, you must walk that journey together in order to end up to the same destination: a truly imbedded best practice approach to risk management.

3. To be a leader you need to embrace change

Risk is often synonymous with stubbornly refusing to change one’s course of action. Unless we can change this perception, we will fail to be influential, and without influence you cannot implement culture change.

To be a leader, is to model behaviour, be open to your mistakes and ask questions. Good leadership involves surrounding yourself with individuals and experts who can provide the insights and answers you need. Have the courage to be vulnerable and say “I don’t know”.

4. Focus on people and building relationships

We all know that one person at work that uses highly esoteric language and buzzwords, aimed to intimidate and exert superiority. If my legal training has taught me anything, it’s not to be that woman. Just don’t. I know it can be tempting, straight out of Sydney Uni Law School , I thought I knew it all.

Only nobody would listen. Why?

In the end, it was my mother that offered the following words of wisdom which changed my professional life forever.

“First, understand the people, not the job. A job is a job, but the people… they are special. Each and every one of them. Get to know them, like them, and you will always feel at home in any job”.

You can’t influence change if you don’t build trust. The majority of Risk leaders have an innate fear of being seen to be saying the wrong thing, doing the wrong thing, endorsing a controversial plan or idea, which then instantly renders them passive and disempowered.

Risk leaders do, and indeed must, shift this paradigm.

To drive better outcomes and to truly be heard, you must be approachable, relatable and above all genuine.

You need to invest in building strong relationships with those around you and seek to understand them not judge them.

It is these foundations, that will allow you to “pull the risk card” and prevent a potential disaster, without having everyone in the room throwing daggers your way.

Having the trust and respect of the other leaders at InnoWell has allowed me to challenge the status quo without fearing repercussions. Why? Because that is the InnoWell culture.

It’s very easy to exist in a world of lengthy meetings, video calls and bloated emails that say not-very-much-at-all. My challenge to you is: be authentic, be vulnerable, be yourself and get to know others around you on a real, and meaningful level.

Trust me, it pays off.