CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:00
one area of risk management that I think has traditionally been overlooked in that in many instances, individuals, management, business owners, process owners
00:12
don't necessarily understand the very important element of risk culture and how the organization's risk culture is gonna impact the decisions that we make.
00:25
So let's just define risk culture. And I think this is pretty good when this from the Institute of Risk Management
00:30
Risk culture can be defined as the norms and traditions of behaviors of individuals and groups within an organization. So we could stop right there, right? What are the things that we just assume we're normal? What are the behaviors that we anticipate? How do we operate with
00:49
in this company? Because every organization has a slightly different risk culture.
00:54
But here's where it gets interesting
00:57
that determined the way in which we identify,
01:00
understand, prioritize, communicate and act on the risks the organization confronts and the risks that the organization takes. And I like this little chart below because what we see is within our organization, there is a risk
01:19
culture. How we feel about risks
01:23
are we conservative, and we're very aware of risks and their impact to such a degree that were very risk conscious. Well, that's gonna influence our organizational culture, right? If we don't like to take risks and we have a very low tolerance for error
01:42
and you know that's probably going to mandate that we're in compliance with frameworks, we might be I. So 27,001 certified or something
01:51
that affects the organization is a hope,
01:53
and then
01:55
ultimately culture is gonna impact behavior. And that's what we're looking for, right?
02:01
We want the culture of the organization toe lead our employees to behaving in an appropriate manner.
02:08
So culture impacts behavior,
02:13
behavior then impacts ethics. And when we talk about ethics, it's what are people thinking about right and wrong.
02:22
So
02:23
our culture, our company behavior, is gonna influence what's right and wrong. And ultimately that will impact ethics, which will impact individuals predestined position, pre disposition
02:38
in relation to risk. So ultimately
02:42
it's trickled down. And if we talk about trickle down, where do we start? You have to start at the top. So if we want to influence an environment and we want our organizational team members to be risk conscious,
02:58
senior management has to,
03:00
right, we've got to get buy in from the top, but not just buying. But senior management has to lead by example, and they're the ones that choose to implement certain frameworks. Some frameworks might be very rigid. Some framework works, maybe much looser in nature. But the bottom line is that
03:19
comes from senior management.
03:21
If you want to impact culture,
03:23
change being your manager
03:25
or if you want to change behaviors, impact culture.
03:30
Right? So this idea that culture on risks affects the organizational culture, which impacts behavior, which influences ethics, which influences what individuals do,
03:44
how we feel about risk at an individual level.
03:47
All right now with that, you know, we said, this has to start at the top. We'll not only doesn't have to start at the top and senior management be our half Sinan are not signing by off
04:00
about buyin. Let's look at a couple of things combined here, But senior management has to have buy in in relation to risk, but they also have to be able to communicate and get buy in from their employees, right? So we want to make sure that in addition to
04:20
keeping our eyes on the culture within the organization, that senior management's able to communicate in relation to risk clearly and effectively. And if we don't well, we might have an environment where people have a false sense of security. You know, we may feel what we haven't heard any bad news. No news is good news.
04:41
Not always the case
04:42
we have difficulty in agreeing on a common methodology, for instance, of senior management isn't involved.
04:50
We may focus all of our risk management strategies on one area as opposed to another, so senior management has to get in there and communicate their prioritization in their approach to risks.
05:04
So when we do talk about communications communications with risk
05:11
exchanging information, views about risks among the decision makers and the stakeholders, the decision makers are those folks that can choose to mitigate a risk in a particular manner.
05:25
Our stakeholders, anybody that's impacted by this particular work that we're examining. So you've got a lot of stakeholders.
05:33
So what we're looking to do here is talk about
05:38
the nature of risks, how we may respond to risk with the status of risks are. But ultimately it's all about
05:47
establishing a risk culture, using good communications in order to maintain that environment and make sure that people within our organization are educated nor wear.
06:00
So ultimately,
06:03
what we want is we want a greater.
06:10
We want a more stringent approach to how our organization operates in relation to risk. We want it to be. We want checks and balances in place. We want greater control. We get that through communicating expectations and then monitoring
06:28
activities like through audits or through other forms of testing.
06:31
All right, again, like we said,
06:34
culture ultimately drives behavior.
06:38
So your risk culture, we've got the shared values and, you know that's true. Your values dictate how you behave, right?
06:46
So with their risk help culture, the definition being the set of shared values and beliefs that governs attitudes
06:56
as you think, so shall you act?
07:00
I don't know what that's from, but it's really good, right? How I think is how I'm gonna
07:04
so change the culture, which will change behavior. And we talked about ethics, mentioned that briefly ethics, how an individual feels about right long wrong. They're not necessarily tied to the law.
07:18
So obviously stealing is against the law and it's unethical. But there are things that are unethical that may not be against the law. It's not against the law. Why? But that's not very ethical. So we want employees to behave in not just a legal fashion, but in the ethical manner as well.
07:40
All right now, just to kind of wrap it up. Senior management's job is to determine the risk appetite.
07:47
Okay, then our risk practitioner or risk team's gonna come in and assess what is our current risk culture. They may assess that based on interviews with employees reviewing all the files review lessons learned incident reports. But ultimately they're going to assess with the current perspective or the current
08:07
culture is in relation to risk.
08:09
Hey,
08:11
then they're gonna go in and conduct analysis to determine what are our priorities,
08:16
what areas
08:18
I need, the greatest amount of risk management, Where do we allocate our resource is, and then what we want to do is we want to make sure that the risk culture in our organization is operating in a manner to implement the risk management strategies that senior management has
08:37
has relegated us to implement.
08:39
All right, so we're then going to implement and engage employees, get employees involved,
08:48
talk to employees where they cannot just listen, but also have impact. Conducts conduct meetings in one of the things politically we see a lot of these days is town halls, right where we get that interactive approach. Ask questions, make suggestions. Employees like
09:07
when they're
09:09
when they're valued. And one of the ways I show you I value is I listen to you. So I think that's very helpful.
09:16
And then ultimately, we look at the current culture after making these changes,
09:22
and we determined, Is it working?
09:24
Is our current culture where we want it to be, and then we start all over again. If it's not
09:30
so, this is just the pathway of risk, culture and risk communication. It really is just kind of a flow chart of everything we've talked about previous.

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor