Shaping Your Risk Culture Through the Selection and Retention of Your Risk Manager


You are a Board Director/CEO and you want to shape your risk culture — what do you look for in the risk manager of tomorrow?


Sustained excellence in organisational risk culture stems from repeated practices and behaviours of all staff and volunteers in an organisation. As Board Directors and CEOs the culture of your organisation is directly shaped by:

  •  the expression of your own values, rules, beliefs, and attitudes and their alignment to the organisation’s values, rules, beliefs and attitudes; and
  •  the expression of your staff and volunteers’ values, rules, beliefs, and attitudes and their alignment to the organisation’s values, rules, beliefs and attitudes.

It is within this context that it can be said that risk management is partly about systems, process and quantitative models but more about changing human behaviour. If we say that risk management is primarily about human behaviour then it stands to reason to focus more specifically on developing excellence in your organisational risk culture by changing the individuals within them. As my grandmother would say, “This is not an easy task, but it can be done”.


As highlighted above, you have three options when leading change in your organisational risk culture;

  1.  Lead and change yourself as the Board Director/CEO — Governance Level; or
  2. Delegate the leadership for change to a risk manager or Chief Risk Officer; — Operational Level; or
  3. A combination of the above, lead change at both levels — Governance and Operational.

I am suggesting that option three, a combined leadership approach at the Governance and Operational level is the best approach. However, the scope of this article is less about the governance level and more about the role you play in selecting, recruiting and retaining the talent of a risk manager to lead the change at the operational level.


As a Board Director/CEO recruiting a risk manager to own the process of leading change in human behaviour at the operational level should be your focus. Your risk manager must have the ability to incorporate, inspire and empower individuals with the behaviours you desire, and manage those you want avoided.


It has been said that risk managers operate in three consulting modes:

  1. Expert mode;
  2. Collaborate mode; and
  3. Open Hands mode.

I will briefly describe the three consulting styles and suggest that a combination of all three styles is needed by your risk manager, albeit, with a stronger focus on the collaborative style.


Expert Mode
People who operate in expert mode are highly analytical, problem and solution focused. They have been referred to as ‘fact finders’ and have a distinct preference for collecting and analysing facts often independently and without necessarily involving their internal or external stakeholders in the process. The key limitations in this mode include:

  • people issues being overlooked in the context of the issue or problem; and
  • the inability to gain support from a wide stakeholder base.

Collaborative Mode


People who operate in collaborative mode prefer to involve others in the process. They listen to ideas and opinions of their stakeholders and try to develop an understanding of their needs, concerns and attitudes. They are prepared to confront the difficult and emotionally challenging issues and work closely with their stakeholders to develop a win-win solution. However, the limitations of people who prefer consulting in this mode include;

  • overly long consultation process with the potential widening of a project’s scope, time and budget; and
  • a more compromised solution rather than the best technical solution as one seeks consensus.

Open Hands Mode
People who operate in open hands mode prefer to ask the clients what needs to be done. They are well organised and can apply their knowledge to ensure plans are turned into action. The potential limitations for this preferred mode of consulting include:

  • action by the risk manager does not address the real problem as the client may not articulate the problem/issue correctly; and
  • such a style may limit the use of the consultant’s wider knowledge base

Individuals will fluctuate between the three consulting modes. However, it is important to understand that risk managers with a preference for Collaborative mode, are more likely to ensure that change or improvements are implemented as they have the ability to canvass opinions widely, take the time to understand your stakeholders’ needs and ultimately build ownership of the solution through collaboration.


Recruitment and training of risk managers has historically focused too much on the Expert consulting mode; the technical accuracy or risk and qualitative assessment, knowledge and implementation of enterprise wide risk frameworks, risk report systems and tools. I’m not saying these are not important, because they are, what I am saying is that the risk manager of tomorrow needs to spend more time in the collaborative consulting mode of; developing relationships, working in cross functional teams to drive ownership to the individual managing the risk, thereby ensuring change is sustainable.


My top four attributes
Here are my top four attributes that Board Directors and CEOs should be looking for in the risk manager of tomorrow:


  • A burning curiosity to learn from all people and an ability to readily connect with people by gaining their trust — in the words of Steven R Covey — “Seek to understand, then to be understood”;
  • An ability to Influence individuals and teams without authority — this is achieved when a risk manager understands that focusing on the personal, social and structural or invisible motivations of individuals is the most effective way to authentically influence. More specifically, the art of relating the meaning of an individual’s life purpose with their work and organisation’s purpose is a powerful means in developing an individual or group’s risk awareness, understanding, buy-in and thereby facilitating a sustained change in behaviour. In addition, the risk manager will be equally comfortable sitting as a Chief Risk Officer reporting to Boards and senior executive groups as they are in cross-functional teams;
  • Knowledge of people risk and interface and importance of human resource management — Here the risk manager acts as a talent manager, actively mentoring, budding and coaching individuals and groups. In addition, the risk manager will demonstrate a strong commitment to personal and professional continual improvement with advocacy for risk management to become standard training at Management and Business qualifications;
  • An ability to adapt and thrive on change and uncertainty — The Risk Manager of tomorrow will have expertise and alignment in the schools of thinking of both planning and risk which are both forward looking. Moreover, the risk manager will have an enterprise wide focus or risk management with a desire and expertise to lead the use of advanced technologies to better align planning, risk, OHS, incident management, project management, quality, budgeting, and business performance reporting;

In Summary
As described above, I suggest that the discipline of risk management will evolve with a stronger focus on effectively leading change in human behaviour at the operational level. As a Board Director/CEO the selection and retention of your risk manager and the position they hold within your organisation will be critical to achieving excellence in your risk culture.


In Zen Buddhism, a Koan is a puzzling, often paradoxical statement used as an aid to meditation and a means of gaining spiritual awakening.


My Koan for risk management is this: “the soft stuff is the hard stuff”. This paradoxical statement can hopefully be used by Board Directors and CEOs to select, recruit and retain the risk manager who is not only an expert in the implementation of Enterprise Risk Management (ERM) frameworks and qualitative analysis but, moreover, an expert in the “soft stuff”.

Avatar About Shaheen Evans

Shaheen is currently the Executive Manager Planning and Risk at Villa Maria. Shaheen's experience spans more than 17 years across the public and private health, regulatory and compliance sectors and with previous Board Director experience in residential aged care. He has previously held senior management roles at Medicare Australia, WorkSafe Victoria and the TAC. He holds professional qualifications in pharmacy, law, business administration and risk management, is a graduate member of the Australian Institute of Company Directors and a member of the Risk Management Institute of Australasia.


  1. Shaheen
    You may be interested in these articles and links, if you haven’t already seen them,

    Blog site Book:

    [email protected]

    The nonprofit governance model in the book is based on: building trust between the board and management, eliminating redundant board committees; eliminating board micromanagement; focusing the board on policy & strategy and having a robust board evaluation focused on outcomes and impacts, not processes. It has been adopted or adopted by thousands of nonprofit boards.

    Many ways book can be used: Adopt or adapt the model; Reference source for board issues; Training tool board development; Motivational tool for director engagement; Reference to understand board governance & compliance obligations

  2. Great Comments Shaheen, I was thinking about the future CRO this morning and actually concluded that it will be the gamers who will succeed, I will be writing soon on my blog about this, but here are a few pointers:

    1. They CAN strategise
    2. They can react in SECONDS
    3.They Focus On The Bottom Line
    4. Change is GOOD
    5. Diversity is GOOD
    6. Learning is seen as fun
    7. Innovation is a lifestyle

    Sometime soon on:

Speak Your Mind