get in touch

Assessing a Company’s Risk Culture and When to Act


Dale Killinger & Tara Carcillo

Date Published

Jul 28, 2023
7 minute read
Risk Culture

The Clearing’s CEO, Tara Carcillo, and Global Data Risk’s Dale Killinger, a former Federal Bureau of Investigation Special Agent, are regular collaborators and strategic partners, leveraging their firms’ expertise to help organizations assess their own risk posture. Here, they provide insight into what modern leaders must consider when determining risk posture for their organizations – and what the consequences may be for ignoring it.

Defining Corporate Risk Culture

Apple’s culture of secrecy. Patagonia’s philanthropic mission. Meta’s penchant for ‘disruption.’ Companies create microclimates of culture, evidenced in the actions of the staff from when they start the workday to how people and teams connect in the office or remotely. Culture is also reflected in the intellectual property businesses create and the measures they take to protect what gives them their competitive edge – we call this corporate risk culture.

Corporate risk culture manifests in many ways, including who has access to sensitive information and the security practices put in place to protect it. With data breach damages hitting an all-time high average of $4.35 million, theft of ideas and data is at a premium. Companies that can’t afford the loss of capital or reputation should take note – understanding an organization’s risk culture isn’t optional, it’s vital.

To assess an organization’s risks, leadership should ask: When must we evaluate our risk culture? How do we set our risk tolerances? Who owns our risk culture management? Who reinforces our current and desired culture?

Below, we’ll discuss the foundational methods and considerations for assessing and managing risk culture so you can effectively answer those questions.

When a Company Should Evaluate Risk Culture

Like societies, businesses – and their cultures – are constantly in motion, both externally and internally, evolving to meet environmental changes, market changes, and the court of public opinion. An important part of that survival depends on the ability to define risk culture and develop mitigation practices to minimize threats.

When should a company evaluate its risk culture?

  • When a company is founded (or even at inception)
  • During a significant growth period
  • At the time of an acquisition or merger
  • At the point of major intellectual property development
  • During a scheduled, purposeful, review (i.e., annually)

An organization changes by size, reputation, and the products it develops over time. In 2023, the United States anticipates the start of 30,604 new businesses. When these companies are born, they begin a life cycle of cultural development. This may require rapid changes in mindset and structure which is likely amplified by the organic culture of the startup, with different cultures attracting a certain type of professional or employee persona. As the company matures, a degree of stability will set in and the company can adjust hiring practices to suit their longer-range strategy, and the culture they seek to achieve.

Companies that survive the challenges of early establishment reach a point where the industry and competitive hiring landscape changes, increasing their risk profiles exponentially. It’s essential to recognize that during these transition periods, the same cultural characteristics that served an organization in previous iterations may no longer be a risk-appropriate fit, with new liabilities and constraints to the company’s security posture emerging (if not always recognized and assessed).

How to Evaluate Risk Culture

While there is no standardized process for assessing a company’s risk culture, here are three important questions that can serve as a starting point to establish and set evaluation benchmarks.

  • How do a company and its managers handle conflict? Naturally, organizations set thresholds to manage their operations, including how they handle conflicts like loss of clients, internal crises, and threats to intellectual property. Understanding how problems are managed, communicated, and resolved is an ideal place to focus at the start of an evaluation. Specifically, a leadership team must understand the human impact of dominant conflict management approaches in the organization. Beliefs drive behavior and what an employee believes to be true about the leadership and management team can dial up or down human-centered risk.
  • What issues get escalated, and how? Many offices deploy mitigation resources to manage active threats quickly but fail to administer and support the needed changes in policy and behavior immediately and well after the incident or matter. Understanding what gets escalated is a deductive way of determining what information a company values and the risks they are willing to take. It is also worth tracking what issues are close to being escalated and how they are managed. This assists in building out and modeling effective risk response, ensuring risks are viewed collectively and through an interdisciplinary lens. This fosters an anticipatory and responsive risk culture.
  • Who is accountable for what? Responsibilities and access to intellectual properties will generally vary by team and sector. Accounting department employees probably don’t need access to sensitive operations or research information to do their job well. Understanding who actively utilizes your market-defining, or proprietary assets, and prioritizing access to them in the risk evaluation process will assist in ensuring proper accountability.

Determining Responsibility and Ownership for a Company’s Risk Culture

Who ultimately owns the risk culture proposition and maintains and implements its guidelines depends mainly on how a company operates. Of the four main business structures – flat, functional, multi-divisional, and matrix – each has drawbacks and advantages. Matrix-structured businesses that rely on cross-team collaborations to share resources across projects can be particularly challenged in accurately evaluating ownership and access to secure information/intellectual property within its management hierarchy.

Thus, risk management relies on buy-in from C-level leadership, as their experience and direct efforts can greatly impact prescribed solutions and their reinforcement. In many cases, risk tolerances are dictated from the top of the house – possibly informed by what wakes a CEO up in the night. But these concerns are often siloed, rather than communicated across the company leadership. This risk segmentation often leads to problematic circumstances, such as data breaches and significant insider threat issues if left unaddressed. Risk is every employee’s business, and it’s not uncommon for new or junior-level employees to have eyes on the ground that can contribute to an accurate assessment. Management should ensure they have a voice in the risk process.

Regarding risk evaluation, the global business market is notably volatile, with just over half of CEOs (56% according to PricewaterhouseCoopers Global Risk Survey 2022) choosing to invest in risk culture. Assessing risk culture is much more than just an exercise – it enables an organization to gain the necessary perspective on accepted behaviors and identify the challenges and obstacles preventing cultural improvements for anticipating and mitigating unexpected events. How effectively risk and compliance matters are dealt with across the entire suite of business operations allows company leadership and management to build confidence in staff to make decisions in all situations that protect the organization while maintaining a strong ethical framework.

What’s Next

If you’re looking to make sense of your organization’s risk landscape, The Clearing and Global Data Risk (GDR) can help. We would love to hear what is happening and help you formulate a plan to thrive in the future.