News and Info

Risk Management Leader

Incorporating Risk Management Into Company Culture


Large companies are inherently going to have risk however by managing it properly, it can reduce time, money and possibly avoid a poor reputation. Shawn O’Rourke, CEO of Pro-Concepts, and Lea Anne Nelson, Risk Management Consultant and Trainer, discuss how to implement a risk management methodology into a corporate culture.

Risk Management and Culture

Shawn: A risk management program is more than just a program.

[Risk Management] entails sponsorship from the top management, getting buy-in by employees and really when you’re starting risk management, it’s a cultural change.

Lea Anne: You know, you bring out a really good point because you really can’t get any kind of quality processes in place without having executive sponsorship and risk management is absolutely critical having a quality process approach in place.

You are going to have risk. I think organizations need to determine for themselves what those thresholds are. What can they live with — “risk appetite” — versus what they need to mitigate. But getting those guardrails set up are also critical. Because otherwise you’ve got the “boots on the ground” folks not following whatever the standards may be and that’s really where risk management starts is with— once you have the decision to roll it out and to have a risk management process — you have to rely on your project managers, program managers — really those almost frontline leaders if you will — to follow and implement the risk management methodology you’re going to use.

Don’t Shoot the Messenger

Shawn: The other thing is as a program manager or lead, be willing to accept bad news. You don’t want to shoot the messenger. If you shoot the messenger, then you shut down people communicating to you.

And the most important thing I think is at that point, is the person who is the “boots on the ground” person knows better what’s going on in the organization than anybody else.

Because there’s been many times when I’ve been involved in the assessment of programs, that the person in the lower level of the organization — the engineer or analysis person — knows that there’s something wrong with an item, but he’s afraid to tell someone that he knows it’s going to be an issue. Four months down the road when that product has to go out the door on Friday afternoon, his boss gets the word we’re not delivering because we can’t get a certain part here on time. That’s the surprise that managers don’t want.

Lea Anne: It was often a concern. If I have risk, then the leaders are going to think that I don’t know how to manage a project. And so, they’d rather not talk about it and just hope they can resolve it on their own. And like you said, you have to have leadership — executive or departmental leadership — that are okay, and they encourage hearing this. It’s not going to be a ding on your performance review. We want to hear what’s happening on the project.

So, we would coach them through that as well but in partnership with executive sponsor because it has to come from both directions. That it demonstrates that when you provide the risk information that this is a collaborative situation. We’re going to bring the resources we have in the organization to deal with the risk whatever it might be. But if you don’t communicate it, then we can’t bring the resources to help out.

Risk Management Provides Credible Information

Shawn: It’s when the executive is talking to his people, he wants to know if he’s got credible data coming to him and that’s the most important thing. Is the data you’re telling me — where’s the foundation of it? Where’s the source of the data? How are you managing it? How are you keeping real-time on it? Are you giving me information that’s three months old? Or is it real-time today?

I am too busy. Why do I need to write the information down if I already know it?

Lea Anne: The other thing I found though was for a project manager or program manager, we would introduce the risk management process. To them, they loved it. They loved the idea of having risk management. But nobody wanted to do risk management. So, for them, you know, they’re busy. They’re managing their team. They are sometimes doing the work a lot of times they’re marketing the work to the customer and trying to grow the business. And so, here we’re saying, “We want you to communicate these risks to us. We want you to capture them and track them.” And to them it’s like “Ah! I’ve got this other thing I have to do!”

And so, it takes some coaching with a team to help them understand how critical it is. And they would say to me, “Well, I know what my risks are. I know that something’s running late and I’ve got to hire another person. I know what my risks are. I don’t need to go and write them down somewhere.” And that’s when we get into, I would tell them,

“Well you’re not writing them down for you. You’re writing them down so that you can communicate them and get people on board with you to help you out and get through this process.”

How to get everyone on board with a risk management methodology

Shawn:  So, with your people, you have to show them you trust them and they’re part of the team and part of the success. Because really, it’s dependent on them doing what they’re doing. So, risk management helps the organization’s execution to meet their business objectives. It helps the teams understand their responsibilities toward those business objectives. And a third one is that the people are engaged.

  • OMB A-123
  • NIST 800-53
  • ISO 31000
  • ISO 9001-2015
  • COSO
  • CMMI
  • PMBOK