Building a Risk-Intelligent Culture

Ahmad Sadeddin
Ahmad Sadeddin
Director of Product Management, Coupa Software

Director of Product Management, Coupa Software Ahmad has launched new products, scaled existing products, and helped turned around struggling ones. In addition, he has worked on a couple of acquisition technology integrations.

Read time: 10 mins
Building a risk-intelligent culture

Every company faces certain risks to their business, and every company has a culture around how they address them. While official responsibility for managing risk rests with executive leadership, and in large companies, a dedicated risk management function, the company’s risk culture often forms unintentionally, based on how these people behave.

However, managing risk should really be everyone’s job, and in any given situation it should be driven by the people closest to it. New technology is democratizing information about supplier risks, making relevant information available to anyone in the company who buys things. Since supplier risk cuts across all areas of the company, this opens the door to begin intentionally building what I call a risk intelligent culture: One where an organization has the ability to collectively identify, quantify, mitigate and monitor their exposure to dangers.

Total risk management
I see this as similar in some respects to the total quality control movement that was developed in Japanese manufacturing in the 1950s. One of the central ideas of that movement was that responsibility for quality assurance did not stop at the management level. Anyone on the manufacturing line could stop the line if something was broken, or at risk of breaking. Any group of workers could meet and discuss ways to improve quality and present them to management.

One byproduct of this was greater employee motivation. Another was improved quality not only of products, but of organizational management.

Building a risk intelligent culture is a similar undertaking, with similar benefits. Risk management can move beyond prevention and become an essential driver of collaboration, innovation and empowerment. If you think about R&D teams for example, their ability to take informed risks is central to moving the company into the future. Conversely, inability to assess the reality of risks can lead to big mistakes, or inaction, which in today’s digitally transforming world is a risk in and of itself.

So how do you create a risk intelligent culture?

Step one: Surfacing information
Democratizing access to information is the first step. People need information about probability, which is the likelihood a particular event may happen. And, they need information on severity, which is how big the impact to you would be if it did happen.

To understand severity, you have to be able to bring information about specific suppliers together with your company’s spending data. For example, you may learn from a credit report that a certain supplier has financial woes, or see online that a supplier has poor reviews.

That points to a higher probability of problems, but it doesn’t necessarily mean your risk is high. If you don’t spend a lot of money with that supplier, and another supplier could provide more or less the same item on short notice, you may judge the risk to be small, even if the probability is high. On the other hand, if you have a big contract with that supplier to buy an item that is unique and mission critical, the risk could be severe.

Raising your hand and saying, "There's a risk," is great, but if you can’t quantify it, it could just create noise and confusion. Raising your hand and having this information pushes constructive conversations. When stakeholders have accurate information about both the probability and severity of a particular risk, that sets the stage for intelligent conversations.

Step two: The conversation
The second step is to get used to having these conversations. Most people would agree that they’d like to be part of an organization that handles risks transparently and collectively. However, that’s not always the culture that grows up around it. When people get ignored or shot down for bringing up risks, that is a cancer that metastasizes deeper and deeper into the organization. It creates a culture of secrecy in which people become afraid of exposing risk because they’re afraid of losing their jobs.

If you’re not used to having these kinds of conversations, it is a change, and ideally the executive team should lead by example. And, suppliers should also be involved. For example, if their warehouse suffers from flooding that could interrupt supply, or their financials aren't looking so strong, you should be talking to them about how you can work together to mitigate the risks. Once you get good at having conversations like these, it can often extend to greater collaboration around products, processes and strategy.

Step three: Making decisions
The final step is decision making. The decisions you make are what shapes your risk culture over time. For example, I was once working with a relatively young company when they found out a key supplier was having some serious financial problems. Though it came as a surprise to them, they decided that since they too were once a high-risk company and people made a decision to work with them, they would do the same.

Clearly, they have a bigger risk appetite than most other companies. But the point is, they had all the information they needed to be able to make a conscious decision about whether that was a risk worth taking.

Ironically, one of the biggest problems in risk management is that companies frequently take no action on known risks. That can be cultural, but historically it been difficult to assemble all the necessary data to make timely decisions around supplier risk, but technology is changing that.

If you have transparency around information, and open and honest conversations about risk become a normal part of every project, that changes the culture. Once the information is out there and everyone knows it’s out there, then it’s far more likely that someone will be accountable for doing something about it.

The risk intelligent organization
Risk management should be an enabler of action, not a blocker, or a demotivator. It’s not just for executives, or a dedicated team off in the corner crunching numbers. It should be a collective effort where everyone has access to information and contributes their own subject matter expertise.

We haven’t previously had all of the information needed to support that ideal. Now that we do, learning to collaborate on supplier risk management can be the first pass at intentionally shaping a risk intelligent culture that can extend to other aspects of risk management as well, for those companies brave enough to embrace it.