The role of risk culture in cyber risk management but also more broadly in overall risk management is largely undervalued.
In companies, and more broadly organizations, which take risk into account and which therefore engage in risk management in a more structured manner, efforts are directed above all at improving existing risk management systems rather than at exploring the underlying risk culture. In this regard, it should be considered that too much attention paid to risk management processes and regulatory compliance, without taking into account the risk culture which is specific to each organization, leads to a devaluation of the interest and the effectiveness of risk management.
Effective risk management is not only about tools, processes, procedures, systems, it must take into account the specifics of the risk culture that prevails in the company or organization. Risk culture is a subset or complement of organizational culture. Therefore, risk culture is based on shared values and ethical principles rather than on processes and formal systemic governance. It should be borne in mind that each organization has, even without knowing it explicitly, a risk culture, which is reflected in particular by a greater or lesser tolerance and appetite for risk: the question is whether this culture of risk supports or erodes the long-term success of the organization. The risk culture that prevails in an organization very largely influences its ability to manage its risks, for the better or the worse.
Cyber risk culture is a specific aspect of an organization’s overall risk culture. While the vast majority of cyber incidents still find their original source in what is called “human” (errors, negligence, risky behavior, maliciousness, etc.), it becomes necessary to explore the root causes of these human behaviors and these risky practices by taking into account the culture of the work environment and more broadly the risk culture of the organization. In addition, cyber risk and risk management must be understood by all employees. Employees cannot have a strong culture around what they do not understand. In addition, an integrated approach should be favored. Indeed, taken independently of the organizational culture and the risk culture of the company, cyber programs and campaigns aimed at employees such as security policy communications, awareness campaigns and training plans can only have limited results since they do not take into account the beliefs, values, appetite and tolerance for risk, which prevail in the organization and among employees.
I welcome your thoughts and comments.